@DTCERTApple ARKit Vulnerability - Heap Overflow
A heap corruption vulnerability (CVE-2024-44126) has been identified in several Apple products that use the ARKit component. This vulnerability could compromise the security of devices when processing a specially crafted file.
Details
- Product: Apple Software
- Affected Version: macOS Ventura < 13.7.1, iOS < 17.7, iPadOS < 17.7, macOS Sonoma < 14.7
- Vulnerability Type: Out-of-bounds Write (CWE-787)
- Risk Level: High
- Vendor URL: https://support.apple.com
- Vendor acknowledged vulnerability: Yes
- Vendor Status: Fixed
- CVE: CVE-2024-44126
This vulnerability has the potential to lead to data exfiltration and system instability, posing a risk to users of iOS and macOS devices. It is recommended that users ensure they have the latest software versions installed to mitigate this vulnerability.
References
- CVE-2024-44126
- Apple Support - Update 1
- Apple Support - Update 2
- Apple Support - Update 3
- Apple Support - Update 4
- Apple Support - Update 5
- Apple Support - Update 6
Timeline
- 2024-09-16: Vendor has fixed the vulnerability.
- 2024-10-28: Vendor has reported that the vulnerability has been fixed.
- 2024-11-27: This blog post was published.
Credits
- Holger Fuhrmannek (holger.fuhrmannek@telekom.de)