A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.6, macOS Sequoia 15.3, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.3, visionOS 2.3, watchOS 11.3. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.
The use-after-free vulnerability (CWE-416) occurs when code references a memory area that has already been freed, leading to undefined system behavior. A malicious application installed on the device can trigger an appropriate sequence of operations to gain access to the freed memory segment and thus take control of code execution flow. This results in the ability to obtain higher system privileges than those to which the application is normally entitled. Apple resolved the issue by improving memory management mechanisms.
A malicious application installed on the device can perform privilege escalation, obtaining elevated system privileges. This can lead to complete takeover of the device, including compromise of confidentiality, integrity, and availability of data.
Devices must be immediately updated to: iOS 18.3 or iPadOS 18.3 (or iPadOS 17.7.6 for older devices), macOS Sequoia 15.3, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.3, visionOS 2.3, watchOS 11.3. Details are available in official Apple security bulletins at the addresses indicated in the references.
iOS before version 18.3, iPadOS before versions 18.3 and 17.7.6, macOS Sequoia before 15.3, macOS Sonoma before 14.7.5, macOS Ventura before 13.7.5, tvOS before 18.3, visionOS before 2.3, watchOS before 11.3. Confirmed active attacks on iOS versions older than 17.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HApple iPadOS
OSApple< 17.7.618.0 – 18.3 (bez)Apple iOS
OSApple< 18.3Apple macOS
OSApple13.0 – 13.7.5 (bez)14.0 – 14.7.5 (bez)15.0 – 15.3 (bez)Apple tvOS
OSApple< 18.3Apple Visionos
OSApple< 2.3Apple watchOS
OSApple< 11.3
CISA KEV — detailsi
- Vendori
- Apple ↗
- Producti
- Multiple Products
- Added to KEVi
- January 29, 2025
- Remediation deadline (US Federal)i
- February 19, 2025(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Apple iOS, macOS, and other Apple products contain a user-after-free vulnerability that could allow a malicious application to elevate privileges.
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki