high
7.1
Advisory Published
CVE Published
Updated

CVE-2024-40774

First published: Mon Jul 29 2024(Updated: )

A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, macOS Sonoma 14.6. An app may be able to bypass Privacy preferences.

Credit: Mickey Jin @patch1t D4m0n w0wbox Csaba Fitzl @theevilbit KandjiCVE-2023-6277 CVE-2023-52356 Yisumi Junsung Lee Trend Micro Zero Day Initiative CrowdStrike Counter Adversary OperationsAmir Bazine CrowdStrike Counter Adversary OperationsKarsten König CrowdStrike Counter Adversary OperationsGandalf4a CertiK SkyFall Team Minghao Lin Zhejiang UniversityJiaxun Zhu Zhejiang UniversityCVE-2024-40805 Wojciech Regula SecuRingZhongquan Li @Guluisacat Dawn Security Lab of JingDongHuang Xilin Ant Group LightMaksymilian Motyl Johan Carlsson (joaxcar) Seunghyun Lee @0x10n KAIST Hacking Lab working with Trend Micro Zero Day InitiativeGary Kwong Andreas Jaegersberger Ro Achterberg product-security@apple.com Michael DePlante @izobashi Trend Micro Zero Day InitiativeCVE-2024-2004 CVE-2024-2379 CVE-2024-2398 CVE-2024-2466 an anonymous researcher sqrtpwn Patrick Wardle DoubleYouAdam M. CVE-2024-6387 Claudio Bozzato Cisco TalosFrancesco Benvenuto Cisco TalosCVE-2024-23296 Yadhu Krishna M Cyber Security At Suma Soft PvtNarendra Bhati Cyber Security At Suma Soft PvtManager Cyber Security At Suma Soft PvtPune (India) Kirin @Pwnrin Joshua Jones Marcio Almeida Tanto SecurityJiahui Hu (梅零落) NorthSeaMeng Zhang (鲸落) NorthSeaMatthew Loewen Minghao Lin Baidu Security Baidu SecurityYe Zhang @VAR10CK Baidu SecurityBistrit Dahal Srijan Poudel Abhay Kailasia @abhay_kailasia Lakshmi Narain College of Technology Bhopal IndiaJacob Braun ajajfxhj Linwz DEVCOREMateen Alinaghi Dawn Security Lab of JingDongMickey Jin @patch1t KandjiMatthew Butler CVE-2024-4558 IES Red Team ByteDanceYeto Yann Gascuel Alter SolutionsWang Yu CyberservalRodolphe BRUNETTI @eisw0lf Pedro Tôrres @t0rr3sp3dr0 KandjiCsaba Fitzl @theevilbit Offensive SecurityJiwon Park Arsenii Kostromin (0x3c3e)

Affected SoftwareAffected VersionHow to fix
Apple macOS<14.6
14.6
tvOS<17.6
17.6
Apple iOS, iPadOS, and watchOS<10.6
10.6
macOS<12.7.6
12.7.6
macOS Ventura<13.6.8
13.6.8
<10.6
10.6
<17.6
17.6
<17.6
17.6
Apple iOS and iPadOS<17.6
17.6
Apple iOS, iPadOS, and macOS<17.6
17.6
macOS<12.7.6
macOS>=13.0<13.6.8
macOS>=14.0<14.6
iPhone OS<17.6
Apple iOS, iPadOS, and macOS<17.6
Apple iOS, iPadOS, and watchOS<10.6
tvOS<17.6

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is the severity of CVE-2024-40774?

    CVE-2024-40774 is classified as a security vulnerability that addresses a downgrade issue with additional code-signing restrictions.

  • How do I fix CVE-2024-40774?

    To fix CVE-2024-40774, update to macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6, iPadOS 17.6, watchOS 10.6, or tvOS 17.6.

  • What platforms are affected by CVE-2024-40774?

    CVE-2024-40774 affects multiple Apple platforms, including macOS, iOS, iPadOS, watchOS, and tvOS.

  • What are the potential risks associated with CVE-2024-40774?

    The potential risks associated with CVE-2024-40774 include the possibility of an app bypassing Privacy preferences due to the downgrade issue.

  • Is there a known exploit for CVE-2024-40774?

    As of now, there are no specific exploits publicly disclosed for CVE-2024-40774, but the nature of the vulnerability could pose a risk.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203