apple ipad-os CVE-2024-23225 vulnerability in Apple Products
Published on March 5, 2024

product logo product logo product logo product logo product logo
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Apple iOS and iPadOS Memory Corruption Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apple iOS and iPadOS kernel contain a memory corruption vulnerability that allows an attacker with arbitrary kernel read and write capability to bypass kernel memory protections.

The following remediation steps are recommended / required by March 27, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2024-23225 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2024-23225 has been classified to as a Memory Corruption vulnerability or weakness.


Products Associated with CVE-2024-23225

You can be notified by stack.watch whenever vulnerabilities like CVE-2024-23225 are published in these products:

Apple iPad OS
 
Apple iOS
 
Apple Macos
 
Apple TV OS
 
Apple Visionos
 
Apple Watch OS
 

What versions are vulnerable to CVE-2024-23225?