CVE-2024-54499: Use After Free
First published: Wed Dec 11 2024(Updated: )
A use-after-free issue was addressed with improved memory management. This issue is fixed in visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2. Processing a maliciously crafted image may lead to arbitrary code execution.
Credit: product-security@apple.com Benjamin Hornbeck ZUSO ARTSkadz @skadz108 ZUSO ARTChi Yuan Chang ZUSO ARTtaikosoup Arsenii Kostromin (0x3c3e) an anonymous researcher Mickey Jin @patch1t Micheal Chukwu Smi1e @Smi1eSEC Bistrit Dahal Hossein Lotfi @hosselot Trend Micro Zero Day InitiativeGary Kwong Anonymous Trend Micro Zero Day InitiativeJunsung Lee Trend Micro Zero Day InitiativeYe Zhang @VAR10CK Baidu SecurityJoseph Ravichandran @0xjprx MIT CSAILsohybbyk CVE-2024-45490 风沐云烟 @binary_fmyy Abhay Kailasia @abhay_kailasia CRakeshkumar Talaviya Talal Haj Bakry Mysk IncTommy Mysk @mysk_co Mysk IncJacob Braun Rei @reizydev Kenneth Chew Michael DePlante @izobashi Trend Micro's Zero Day InitiativeCVE-2024-45306 Seunghyun Lee Brendon Tiszka Google Project Zerolinjy HKUS3Labchluo WHUSecLabXiangwei Zhang Tencent Security YUNDING LABTashita Software Security Lukas Bernhard Rodolphe BRUNETTI @eisw0lf Lupus NovaKirin @Pwnrin 7feilee Hyerean Jang Taehun Kim Youngjoo Shin Meng Zhang (鲸落) NorthSeaClaudio Bozzato Cisco TalosFrancesco Benvenuto Cisco Talos神罚 @Pwnrin Bohdan Stasiuk @Bohdan_Stasiuk Yokesh Muthu K Mickey Jin @patch1t MicrosoftJonathan Bar Or @yo_yo_yo_jbo MicrosoftAmy @asentientbot Rodolphe BRUNETTI @eisw0lf Halle Winkler Politepix theoffcuts.org Trent Lloyd @lathiat D’Angelo Gonzalez CrowdStrikeMichael Cohen Mickey Jin @patch1t KandjiCsaba Fitzl @theevilbit KandjiD4m0n CertiK SkyFall Team Dillon Franke Google Project Zero
| Affected Software | Affected Version | How to fix |
|---|---|---|
| tvOS | <18.2 | 18.2 |
| Apple iOS, iPadOS, and watchOS | <18.2 | 18.2 |
| Apple iOS, iPadOS, and watchOS | <18.2 | 18.2 |
| Apple iOS, iPadOS, and watchOS | <11.2 | 11.2 |
| visionOS | <2.2 | 2.2 |
| visionOS | <2.2 | |
| tvOS | <18.2 | |
| Apple iOS, iPadOS, and watchOS | <11.2 | |
| Apple iOS, iPadOS, and watchOS | <18.2 | |
| Apple iOS, iPadOS, and watchOS | <18.2 | |
| macOS | <15.2 | |
| macOS | <15.2 | 15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/121844 (Advisory)
- https://support.apple.com/en-us/121845 (Advisory)
- https://support.apple.com/en-us/121839 (Advisory)
- https://support.apple.com/en-us/121843 (Advisory)
- https://support.apple.com/en-us/121837 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-54541
- CVE-2024-54526
- CVE-2024-54527
- CVE-2024-54513
- CVE-2024-54486
- CVE-2024-54478
- CVE-2024-54499
- CVE-2024-54500
- CVE-2024-54517
- CVE-2024-54518
- CVE-2024-54522
- CVE-2024-54523
- CVE-2024-54468
- CVE-2024-54494
- CVE-2024-54510
- CVE-2024-45490
- CVE-2024-54514
- CVE-2024-44225
- CVE-2024-54497
- CVE-2024-54501
- CVE-2024-45306
- CVE-2024-54479
- CVE-2024-54502
- CVE-2024-54508
- CVE-2024-54505
- CVE-2024-54534
- CVE-2024-54543
- CVE-2024-54488
- CVE-2024-54503
- CVE-2024-54550
- CVE-2024-54512
- CVE-2024-54507
- CVE-2024-44245
- CVE-2024-54530
- CVE-2024-54492
- CVE-2024-44246
- CVE-2024-54542
- CVE-2024-54485
- CVE-2024-54477
- CVE-2024-44220
- CVE-2024-54490
- CVE-2024-54509
- CVE-2024-54529
- CVE-2024-44300
- CVE-2024-54466
- CVE-2024-54489
- CVE-2024-54547
- CVE-2024-54519
- CVE-2024-44291
- CVE-2024-54506
- CVE-2024-54531
- CVE-2024-54465
- CVE-2024-54491
- CVE-2024-54484
- CVE-2024-54536
- CVE-2024-54504
- CVE-2024-54474
- CVE-2024-54476
- CVE-2023-32395
- CVE-2024-54537
- CVE-2024-54557
- CVE-2024-54516
- CVE-2024-54515
- CVE-2024-54528
- CVE-2024-54524
- CVE-2024-54498
- CVE-2024-54493
- CVE-2024-44243
- CVE-2024-44224
- CVE-2024-54495
- CVE-2024-54549
- CVE-2024-54475
- CVE-2024-54520
- CVE-2024-54539
Frequently Asked Questions
What is the severity of CVE-2024-54499?
CVE-2024-54499 is classified as a critical vulnerability due to its potential for arbitrary code execution.
How do I fix CVE-2024-54499?
To fix CVE-2024-54499, update to the latest versions of the affected software: visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2, iPadOS 18.2, or macOS Sequoia 15.2.
What software is affected by CVE-2024-54499?
CVE-2024-54499 affects Apple visionOS, tvOS, watchOS, iOS, iPadOS, and macOS Sequoia.
What is a use-after-free vulnerability like CVE-2024-54499?
A use-after-free vulnerability, such as CVE-2024-54499, occurs when a program continues to use a pointer after the memory it points to has been freed, allowing for potential arbitrary code execution.
What could happen if CVE-2024-54499 is exploited?
If CVE-2024-54499 is exploited, it could lead to arbitrary code execution, allowing attackers to take control of the affected device.
- agent/references
- agent/type
- collector/nvd-api
- source/NVD
- agent/severity
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/apple-support
- source/Apple
- alias/CVE-2024-54526
- alias/CVE-2024-54527
- alias/CVE-2024-54513
- alias/CVE-2024-54486
- alias/CVE-2024-54478
- alias/CVE-2024-54499
- alias/CVE-2024-54500
- alias/CVE-2024-54517
- alias/CVE-2024-54518
- alias/CVE-2024-54522
- alias/CVE-2024-54523
- alias/CVE-2024-54468
- alias/CVE-2024-54494
- alias/CVE-2024-54510
- alias/CVE-2024-45490
- alias/CVE-2024-54514
- alias/CVE-2024-44225
- alias/CVE-2024-54497
- alias/CVE-2024-54501
- alias/CVE-2024-45306
- alias/CVE-2024-54479
- alias/CVE-2024-54502
- alias/CVE-2024-54508
- alias/CVE-2024-54505
- alias/CVE-2024-54534
- alias/CVE-2024-54543
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/weakness
- agent/source
- agent/description
- agent/author
- alias/CVE-2024-54507
- alias/CVE-2024-44245
- alias/CVE-2024-54530
- alias/CVE-2024-54492
- alias/CVE-2024-44246
- alias/CVE-2024-54542
- alias/CVE-2024-54485
- alias/CVE-2024-54503
- alias/CVE-2024-54550
- alias/CVE-2024-54512
- alias/CVE-2024-54541
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- alias/CVE-2024-54466
- alias/CVE-2024-54489
- alias/CVE-2024-54547
- alias/CVE-2024-54519
- alias/CVE-2024-44291
- alias/CVE-2024-54506
- alias/CVE-2024-54531
- alias/CVE-2024-54465
- alias/CVE-2024-54491
- alias/CVE-2024-54484
- alias/CVE-2024-54536
- alias/CVE-2024-54504
- alias/CVE-2024-54474
- alias/CVE-2024-54476
- alias/CVE-2023-32395
- alias/CVE-2024-54537
- alias/CVE-2024-54557
- alias/CVE-2024-54516
- alias/CVE-2024-54515
- alias/CVE-2024-54528
- alias/CVE-2024-54524
- alias/CVE-2024-54498
- alias/CVE-2024-54493
- alias/CVE-2024-44243
- alias/CVE-2024-44224
- alias/CVE-2024-54495
- alias/CVE-2024-54549
- alias/CVE-2024-54475
- alias/CVE-2024-54520
- alias/CVE-2024-54539
- alias/CVE-2024-54490
- alias/CVE-2024-54509
- alias/CVE-2024-54529
- alias/CVE-2024-44300
- alias/CVE-2024-54477
- alias/CVE-2024-44220
- vendor/apple
- canonical/tvos
- canonical/apple ios, ipados, and watchos
- canonical/visionos
- canonical/macos