Apple iOS
CVE-2024-23225
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4, macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5, tvOS 17.4, visionOS 1.1, watchOS 10.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
AnalysisAI
Kernel memory protection bypass in Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows a local attacker who already possesses arbitrary kernel read/write primitives to defeat additional kernel mitigations and achieve full kernel compromise. The flaw is confirmed actively exploited (CISA KEV) and Apple has acknowledged reports of exploitation, making this a critical post-exploitation primitive used in real-world attack chains despite a modest 0.16% EPSS score indicating targeted rather than mass exploitation.
Technical ContextAI
The vulnerability is a memory corruption flaw (CWE-787, Out-of-bounds Write) in the XNU kernel shared across Apple's operating systems, addressed via improved validation according to Apple's advisory. CPE data confirms the issue spans the full Apple ecosystem - iPhone OS, iPadOS, macOS (Monterey, Ventura, Sonoma), tvOS, visionOS, and watchOS - indicating a shared kernel component. The bug enables bypass of kernel memory protections such as PPL (Page Protection Layer) or KTRR, mitigations specifically designed to contain attackers who already have kernel R/W, meaning this is a chained-exploit primitive rather than an initial entry point.
RemediationAI
Vendor-released patches are available: upgrade to iOS/iPadOS 16.7.6 or 17.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, or watchOS 10.4 - apply via standard Apple software update channels and Apple's support advisories. There are no practical pre-patch workarounds because the flaw lives in the kernel and is reachable from any code already running with kernel R/W; compensating controls focus on reducing initial-access risk by enforcing Lockdown Mode on high-risk users (which restricts attack surface but limits messaging, web, and configuration features), keeping MDM enrollment with mandatory minimum OS versions, and disabling MDM-managed device enrollment for unpatched devices. For fleet managers, blocking enrollment of devices below the patched build via conditional access policies is the most concrete control.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today