CVE-2024-44122: Input Validation
Published Sep 16, 2024
·Updated
A logic issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15, macOS Sonoma 14.7.1, macOS Ventura 13.7.1. An application may be able to break out of its sandbox.
Other sources
Accessibility. This issue was addressed by restricting options offered on a locked device.
— Apple
Accessibility. This issue was addressed through improved state management.
— Apple
Accessibility. This issue was addressed with improved data protection.
— Apple
Accounts. A permissions issue was addressed with additional restrictions.
— Apple
Accounts. The issue was addressed with improved checks.
— Apple
Credit
Csaba Fitzl@@theevilbit(Kandji), an anonymous researcher, Kirin@@Pwnrin, Mickey Jin@@patch1t, Noah Gregory (wts.dev), Arsenii Kostromin (0x3c3e), Mickey Jin@@patch1t(Kandji), Un3xploitable(CW Research Inc), Bohdan Stasiuk@@Bohdan_Stasiuk(CW Research Inc), Pedro Tôrres@@t0rr3sp3dr0, 냥냥, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Halle Winkler, Politepix@@hallewinkler, Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), (Indiana University Bloomington), Luyi Xing(Indiana University Bloomington), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Junsung Lee(Trend Micro Zero Day Initiative), dw0r!(Trend Micro Zero Day Initiative), Bohdan Stasiuk@@Bohdan_Stasiuk, Alexandre Bedard, Ronny Stiftel, Wang Yu(Cyberserval), Jex Amro, Zhongquan Li@@Guluisacat, Mateusz Krzywicki@@krzywix, pattern-f@@pattern_F_(Loadshine Lab), Hikerell(Loadshine Lab), Ivan Fratric(Google Project Zero), Holger Fuhrmannek, Rodolphe Brunetti@@eisw0lf, CVE-2023-4504, @@08Tc3wBB(Jamf), Denis Tokarev@@illusionofcha0s, Yiğit Can YILMAZ@@yilmazcanyigit, Junsung Lee, dw0r(ZeroPointer Lab working with Trend Micro Zero Day Initiative), Antonio Zekić, Andrew Lytvynov, Alexander Heinrich, SEEMOO, DistriNet, KU Leuven@@vanhoefm, TU Darmstadt@@Sn0wfreeze, Mathy Vanhoef, Jeff Johnson (underpassapp.com), OSS-Fuzz(Google Project Zero), Ned Williamson(Google Project Zero), Rodolphe BRUNETTI@@eisw0lf, Kirin@@Pwnrin(Fudan University), LFY@@secsys(Fudan University), Olivier Levon, CVE-2023-5841, Meng Zhang (鲸落)(NorthSea), ajajfxhj, Brian McNulty(Computer Science), Cristian Dinca(Computer Science), Romania, Vaibhav Prajapati, CVE-2024-39894, Wojciech Regula(SecuRing), Rifa'i Rejal Maynando, Narendra Bhati(Cyber Security at Suma Soft Pvt), Manager(Cyber Security at Suma Soft Pvt), Pune (India), Yiğit Can YILMAZ@@yilmazcanyigit(SecuRing), Kirin@@Pwnrin(NorthSea), Vivek Dhar, working as Assistant Sub-Inspector (RM) in Border Security Force (Frontier Headquarter BSF Kashmir), Pedro José Pereira Vieito@@pvieito, luckyu@@uuulucky(NorthSea), Om Kothawade(the UNTHSC College of Pharmacy), Omar A. Alanis(the UNTHSC College of Pharmacy), Bistrit Dahal, Matej Moravec@@MacejkoMoravec, K宝, LFY@@secsys, Smi1e, yulige, Cristian Dinca (icmd.tech), Ron Masas(BreakPoint), Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft), CVE-2024-41957, Narendra Bhati(Cyber Security At Suma Soft Pvt), Manager(Cyber Security At Suma Soft Pvt), Tashita Software Security, Ron Masas, Hafiizh(HakTrak), YoKo Kho@@yokoacc(HakTrak), Tim Michaud@@TimGMichaud(Moveworks), Antonio Zekic@@antoniozekic, ant4g0nist, Charly Suchanek, CVE-2024-44134, Preet Dsouza (Fleming College, Computer Security & Investigations Program), Domien Schepers, Tim Clem, Gergely Kalman@@gergely_kalman, Koh M. Nakagawa@@tsunek0h, CVE-2024-44130, Pwn2car(Trend Micro Zero Day Initiative), Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Anton Boegler, Snoolie Keffaber@@0xilis, CVE-2024-44129, Joshua Keller, Lukas, Kenneth Chew, Anamika Adhikari, Om Kothawade(Zaprico Digital), Chi Yuan Chang(ZUSO ART), taikosoup, Srijan Poudel, Justin Cohen, Daniele Antonioli, Tuan D. Hoang, Chloe Surett, Jake Derouin (jakederouin.com), Abhay Kailasia@@abhay_kailasia(Lakshmi Narain College of Technology Bhopal India)
Affected Software
7 affected componentsFixes available
Apple macOS<14.7.1
14.7.1
macOS<15
15
Apple iOS and iPadOS<18
18
Apple iOS, iPadOS, and macOS<18
18
macOS Ventura<13.7.1
13.7.1
macOS<13.7.1
macOS>=14.0<14.7.1
Event History
Sep 16, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Oct 28, 2024
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
CVE Published
via MITRE·09:08 PM
Data Sourced
via MITRE·09:08 PM
DescriptionWeakness
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeaknessAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2024-40840
- CVE-2024-40830
- CVE-2024-44171
- CVE-2024-40852
- CVE-2024-44126
- CVE-2024-27874
- CVE-2024-27876
- CVE-2024-27869
- CVE-2024-44124
- CVE-2024-54469
- CVE-2024-44131
- CVE-2024-40850
- CVE-2024-27880
- CVE-2024-44176
- CVE-2024-44169
- CVE-2024-44165
- CVE-2024-44191
- CVE-2024-44122
- CVE-2024-54560
- CVE-2024-44198
- CVE-2024-40791
- CVE-2024-44183
- CVE-2023-5841
- CVE-2024-44147
- CVE-2024-44167
- CVE-2024-44217
- CVE-2024-40826
- CVE-2024-44155
- CVE-2024-44202
- CVE-2024-44127
- CVE-2024-40863
- CVE-2024-44144
- CVE-2024-44123
- CVE-2024-44145
- CVE-2024-44179
- CVE-2024-40853
- CVE-2024-44139
- CVE-2024-44180
- CVE-2024-44170
- CVE-2024-54558
- CVE-2024-44184
- CVE-2024-27879
- CVE-2024-54467
- CVE-2024-44192
- CVE-2024-40857
- CVE-2024-44187
- CVE-2024-44227
- CVE-2024-40856
- CVE-2024-44129
- CVE-2024-44153
- CVE-2024-44188
- CVE-2024-40792
- CVE-2024-40825
- CVE-2024-44130
- CVE-2024-44182
- CVE-2024-44154
- CVE-2024-40845
- CVE-2024-40846
- CVE-2024-44164
- CVE-2024-40837
- CVE-2024-40847
- CVE-2024-40848
- CVE-2024-44168
- CVE-2024-27860
- CVE-2024-27861
- CVE-2024-40841
- CVE-2024-27795
- CVE-2024-44135
- CVE-2024-44132
- CVE-2024-44128
- CVE-2024-44151
- CVE-2024-44172
- CVE-2024-27875
- CVE-2024-44146
- CVE-2024-27849
- CVE-2023-4504
- CVE-2024-40855
- CVE-2024-44148
- CVE-2024-44177
- CVE-2024-54463
- CVE-2024-40831
- CVE-2024-40861
- CVE-2024-44160
- CVE-2024-44161
- CVE-2024-44175
- CVE-2024-54473
- CVE-2024-44181
- CVE-2024-27858
- CVE-2024-40838
- CVE-2024-44186
- CVE-2024-39894
- CVE-2024-44178
- CVE-2024-44149
- CVE-2024-40797
- CVE-2024-44125
- CVE-2024-44163
- CVE-2024-44203
- CVE-2024-44137
- CVE-2024-44174
- CVE-2024-40801
- CVE-2024-44158
- CVE-2024-40844
- CVE-2024-40860
- CVE-2024-44152
- CVE-2024-44166
- CVE-2024-44190
- CVE-2024-44133
- CVE-2024-40859
- CVE-2024-41957
- CVE-2024-40866
- CVE-2024-54546
- CVE-2024-40770
- CVE-2024-23237
- CVE-2024-44134
- CVE-2024-44189
- CVE-2024-44208
- CVE-2024-40842
- CVE-2024-40843
- CVE-2024-44255
- CVE-2024-44232
- CVE-2024-44233
- CVE-2024-44234
- CVE-2024-44270
- CVE-2024-44280
- CVE-2024-44260
- CVE-2024-44273
- CVE-2024-44295
- CVE-2024-44240
- CVE-2024-44302
- CVE-2024-44213
- CVE-2024-44289
- CVE-2024-44282
- CVE-2024-44265
- CVE-2024-40854
- CVE-2024-44215
- CVE-2024-44297
- CVE-2024-44216
- CVE-2024-44287
- CVE-2024-44197
- CVE-2024-44239
- CVE-2024-44222
- CVE-2024-44256
- CVE-2024-54471
- CVE-2024-44159
- CVE-2024-44156
- CVE-2024-44196
- CVE-2024-44253
- CVE-2024-44247
- CVE-2024-44267
- CVE-2024-44301
- CVE-2024-44275
- CVE-2024-44294
- CVE-2024-44218
- CVE-2024-54538
- CVE-2024-44254
- CVE-2024-44269
- CVE-2024-44236
- CVE-2024-44237
- CVE-2024-44284
- CVE-2024-44279
- CVE-2024-44281
- CVE-2024-44283
- CVE-2024-44278
- CVE-2024-44264
- CVE-2024-44257
Frequently Asked Questions
1
What is the severity of CVE-2024-44122?
CVE-2024-44122 has been classified as a critical vulnerability due to its potential to allow applications to break out of their sandbox.
2
How do I fix CVE-2024-44122?
To mitigate CVE-2024-44122, update to macOS Ventura 13.7.1, macOS Sequoia 15, or macOS Sonoma 14.7.1.
3
Which versions of macOS are affected by CVE-2024-44122?
CVE-2024-44122 affects macOS versions prior to 13.7.1, any release between 14.0 and 14.7.1, and versions prior to 15.
4
What types of systems are vulnerable to CVE-2024-44122?
CVE-2024-44122 primarily affects systems running specific versions of macOS, including Ventura, Sequoia, and Sonoma.
5
What does CVE-2024-44122 exploit?
CVE-2024-44122 exploits a logic issue that could allow applications to bypass sandbox restrictions.