Skip to main content

Apple Safari CVE-2024-44308

HIGH
2024-11-20 product-security@apple.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Added to CISA KEV
Apr 03, 2026 - 11:43 cisa
CISA KEV
CVE Published
Nov 20, 2024 - 00:15 nvd
HIGH 8.8

DescriptionCVE.org

The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

AnalysisAI

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously crafted web content, with Apple confirming active exploitation on Intel-based Mac systems. The flaw is confirmed actively exploited (CISA KEV) and carries a CVSS 8.8 score requiring only user interaction (visiting a malicious page) to achieve remote code execution. EPSS at 1.55% (81st percentile) is moderate but the KEV listing signals real-world targeted abuse against Apple's WebKit-based browsing stack.

Technical ContextAI

The vulnerability resides in Apple's WebKit/JavaScriptCore engine that powers Safari and all web content rendering across iOS, iPadOS, macOS, and visionOS. Apple's fix language ('addressed with improved checks') and the Intel-Mac-specific exploitation hint at a validation/type-confusion class issue in the JIT or web content pipeline, though no CWE is assigned in NVD. Affected CPE entries cover Apple Safari, iPadOS, iPhone OS, macOS, and visionOS; a Debian CPE is also listed because WebKitGTK packages downstream from upstream WebKit are similarly impacted on Debian 11. The bug is triggered purely through web content, meaning any vulnerable browsing surface (Safari tab, in-app WebView, embedded WebKit component) is a candidate vector.

RemediationAI

Vendor-released patches are available: upgrade to Safari 18.1.1, iOS/iPadOS 17.7.2 (for devices on the 17 train) or 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1 via Apple's standard Software Update mechanism, prioritizing Intel-based Macs given confirmed exploitation on that platform. Debian 11 administrators should apply WebKitGTK package updates from Debian Security as they are published. Where immediate patching is not possible, compensating controls include disabling JavaScript in Safari (Settings → Safari → Advanced) which neutralizes most WebKit exploitation paths at the cost of breaking nearly all modern sites, routing browsing through an enterprise web filter that blocks unknown/uncategorized domains to reduce drive-by exposure, and instructing users to avoid Safari/WebKit-embedded browsers in favor of a patched alternative engine temporarily - noting that in-app WebViews on iOS still use WebKit and cannot be swapped.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44309 MEDIUM
6.3 Nov 20

A cookie management issue was addressed with improved state management. Rated medium severity (CVSS 6.3), this vulnerabi

Share

CVE-2024-44308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy