CVE-2024-54551
Published: 21 March 2025
Summary
CVE-2024-54551 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Apple Safari. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Ensures timely remediation of the memory handling flaw through patching to versions like Safari 17.6, directly preventing exploitation leading to denial-of-service.
Implements memory protections such as ASLR and DEP to mitigate CWE-119 memory corruption vulnerabilities exploited by malicious web content.
Provides denial-of-service protections that limit the impact of memory handling flaws triggered by remote web content processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The memory handling vulnerability (CWE-119) in Safari enables remote attackers to deliver malicious web content causing application crashes and denial-of-service (A:H impact, no C/I), directly facilitating T1499.004 via client-side exploitation of software vulnerabilities to degrade availability.
NVD Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. Processing web content may lead to a denial-of-service.
Deeper analysisAI
CVE-2024-54551 is a memory handling vulnerability (CWE-119) affecting Apple's Safari browser and related components across multiple platforms. The flaw, which received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), enables denial-of-service when processing web content. It impacts versions of Safari prior to 17.6, iOS prior to 17.6, iPadOS prior to 17.6, macOS Sonoma prior to 14.6, tvOS prior to 17.6, visionOS prior to 1.3, and watchOS prior to 10.6.
Remote attackers require no privileges or user interaction to exploit the vulnerability over the network with low complexity. By delivering malicious web content, such as via a crafted webpage, an attacker can trigger the memory handling issue, resulting in a denial-of-service condition, typically manifesting as an application crash or arbitrary code execution disruption limited to availability impact.
Apple security advisories confirm the issue was addressed through improved memory handling in the specified fixed releases: Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, and watchOS 10.6. Security practitioners should prioritize updating affected devices to these versions or later to mitigate the risk, as detailed in Apple's support documents at https://support.apple.com/en-us/120909, https://support.apple.com/en-us/120911, https://support.apple.com/en-us/120913, https://support.apple.com/en-us/120914, and https://support.apple.com/en-us/120915.
Details
- CWE(s)