Apple consistently updates its list of resolved security vulnerabilities affecting iPhone, iPad, and Mac after each software release. In line with this practice, the company has published a comprehensive overview of the security patches included in today’s iOS 18.2 and macOS Sequoia 15.2 updates. As always, we advise users to update their devices promptly to mitigate potential security threats.
Below are the vulnerabilities addressed today for iPhone, iPad, and Mac:
iOS 18.2
AppleMobileFileIntegrity
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: A malicious application could potentially access private user information.
Description: This issue was rectified with enhanced verification processes.
CVE-2024-54526: Mickey Jin (@patch1t), Arsenii Kostromin (0x3c3e)
AppleMobileFileIntegrity
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An application could access sensitive user data.
Description: This issue was resolved through improved checks.
CVE-2024-54527: Mickey Jin (@patch1t)
Audio
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Muting a call while it is ringing may not actually enable mute.
Description: An inconsistency in the user interface was addressed by improving state management.
CVE-2024-54503: Micheal Chukwu and an anonymous researcher
Crash Reporter
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An application may access sensitive user data.
Description: This permissions issue was resolved with additional restrictions.
CVE-2024-54513: an anonymous researcher
FontParser
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Processing a maliciously crafted font may inadvertently disclose process memory.
Description: The issue was rectified through enhanced checks.
CVE-2024-54486: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
ImageIO
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Processing a maliciously crafted image may lead to the disclosure of process memory.
Description: The issue was resolved with improved checks.
CVE-2024-54500: Junsung Lee working with Trend Micro Zero Day Initiative
Kernel
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An attacker might create a read-only memory mapping that can be written to.
Description: A race condition was addressed with additional validation.
CVE-2024-54494: sohybbyk
Kernel
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An application may leak sensitive kernel state.
Description: A race condition was dealt with through improved locking mechanisms.
CVE-2024-54510: Joseph Ravichandran (@0xjprx) of MIT CSAIL
Kernel
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An application may unexpectedly terminate the system or corrupt kernel memory.
Description: The issue was resolved with revised memory handling.
CVE-2024-44245: an anonymous researcher
libexpat
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: A remote attacker might cause unexpected app termination or arbitrary code execution.
Description: This issue relates to a vulnerability in open-source code that affects Apple Software as well. The CVE-ID was assigned by a third party. More details about the issue and CVE-ID can be found at cve.org.
CVE-2024-45490
libxpc
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An app might escape its sandbox environment.
Description: This issue was resolved through enhanced verification.
CVE-2024-54514: an anonymous researcher
libxpc
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An application might gain elevated permissions.
Description: This logic issue was rectified by enhancing verification processes.
CVE-2024-44225: 风沐云烟(@binary_fmyy)
Passwords
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An attacker in a privileged network position might alter network traffic.
Description: This issue was resolved by utilizing HTTPS for data transmission over the network.
CVE-2024-54492: Talal Haj Bakry and Tommy Mysk of Mysk Inc. (@mysk_co)
Safari
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: On devices with Private Relay activated, adding a site to the Safari Reading List may expose the originating IP address to the website.
Description: This issue was addressed by enhancing the routing of requests initiated from Safari.
CVE-2024-44246: Jacob Braun
SceneKit
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Handling a maliciously crafted file may result in a denial of service.
Description: This issue was addressed with enhanced checks.
CVE-2024-54501: Michael DePlante (@izobashi) of Trend Micro’s Zero Day Initiative
VoiceOver
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: An attacker with physical access to an iOS device could view notification content on the lock screen.
Description: This issue was addressed by implementing additional logic.
CVE-2024-54485: Abhay Kailasia (@abhay_kailasia) from C-DAC Thiruvananthapuram India
WebKit
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Processing maliciously crafted web content could cause unexpected process crashes.
Description: This issue was addressed through enhanced checks.
WebKit Bugzilla: 278497
CVE-2024-54479: Seunghyun Lee
WebKit Bugzilla: 281912
CVE-2024-54502: Brendon Tiszka of Google Project Zero
WebKit
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Processing maliciously crafted web content may lead to an unexpected process crash.
Description: The issue was resolved through enhanced memory management.
WebKit Bugzilla: 282180
CVE-2024-54508: linjy of HKUS3Lab, chluo of WHUSecLab, and Xiangwei Zhang of Tencent Security YUNDING LAB
WebKit
Available for: iPhone XS and later models, iPad Pro 13-inch and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
Impact: Processing maliciously crafted web content may result in memory corruption.
Description: A type confusion issue was addressed through enhanced memory management.
WebKit Bugzilla: 282661
CVE-2024-54505: Gary Kwong
macOS 15.2
Apple Software Restore
Available for: macOS Sequoia
Impact: An application may gain access to sensitive user data.
Description: This issue has been resolved with improved validation.
CVE-2024-54477: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Kandji
AppleGraphicsControl
Available for: macOS Sequoia
Impact: Parsing a maliciously crafted video file could lead to unexpected system crashes.
Description: The issue was resolved with improved memory handling.
CVE-2024-44220: D4m0n
AppleMobileFileIntegrity
Available for: macOS Sequoia
Impact: A malicious app might access private information.
Description: The issue was addressed through improved checks.
CVE-2024-54526: Mickey Jin (@patch1t), Arsenii Kostromin (0x3c3e)
AppleMobileFileIntegrity
Available for: macOS Sequoia
Impact: An application may access sensitive user data.
Description: This issue was resolved with improved checks.
CVE-2024-54527: Mickey Jin (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Sequoia
Impact: A local attacker could gain access to the user’s Keychain items.
Description: This issue was resolved through the activation of a hardened runtime.
CVE-2024-54490: Mickey Jin (@patch1t)
Audio
Available for: macOS Sequoia
Impact: An application may execute arbitrary code with kernel-level privileges.
Description: A logic issue was addressed with improved checks.
CVE-2024-54529: Dillon Franke working with Google Project Zero
Crash Reporter
Available for: macOS Sequoia
Impact: An application may access sensitive user data.
Description: This permissions issue was addressed with enhanced restrictions.
CVE-2024-54513: an anonymous researcher
Crash Reporter
Available for: macOS Sequoia
Impact: An application may potentially access protected user data.
Description: A logic issue was resolved with improved file handling.
CVE-2024-44300: an anonymous researcher
DiskArbitration
Available for: macOS Sequoia
Impact: An encrypted volume may be accessed by a different user without requiring a password prompt.
Description: The authorization issue was addressed with enhanced state management.
CVE-2024-54466: Michael Cohen
Disk Utility
Available for: macOS Sequoia
Impact: Executing a mount command could inadvertently run arbitrary code.
Description: A path handling issue was resolved with improved validation.
CVE-2024-54489: D’Angelo Gonzalez of CrowdStrike
FontParser
Available for: macOS Sequoia
Impact: Processing a maliciously crafted font may lead to the disclosure of process memory.
Description: This issue was addressed with enhanced verification.
CVE-2024-54486: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
Foundation
Available for: macOS Sequoia
Impact: A malicious application may gain root-level permissions.
Description: A logic issue was addressed with refined file handling.
CVE-2024-44291: Arsenii Kostromin (0x3c3e)
ImageIO
Available for: macOS Sequoia
Impact: Handling a maliciously crafted image may lead to the disclosure of process memory.
Description: This issue was resolved with improved checks.
CVE-2024-54500: Junsung Lee working with Trend Micro Zero Day Initiative
IOMobileFrameBuffer
Available for: macOS Sequoia
Impact: An attacker could cause unexpected system termination or arbitrary code execution in DCP firmware.
Description: A bounds access issue was addressed with enhanced bounds checking.
CVE-2024-54506: Ye Zhang (@VAR10CK) of Baidu Security
Kernel
Available for: macOS Sequoia
Impact: An attacker may create a read-only memory mapping that can be altered.
Description: A race condition was resolved through additional validation.
CVE-2024-54494: sohybbyk
Kernel
Available for: macOS Sequoia
Impact: An application could potentially leak sensitive kernel state information.
Description: A race condition was addressed with enhanced locking mechanisms.
CVE-2024-54510: Joseph Ravichandran (@0xjprx) of MIT CSAIL
Kernel
Available for: macOS Sequoia
Impact: An application might cause unexpected system termination or corrupt kernel memory.
Description: This issue was addressed with enhanced memory management.
CVE-2024-44245: an anonymous researcher
Kernel
Available for: macOS Sequoia
Impact: An application might bypass kASLR.
Description: This issue was fixed through improved memory handling.
CVE-2024-54531: Hyerean Jang, Taehun Kim, and Youngjoo Shin
LaunchServices
Available for: macOS Sequoia
Impact: An application may elevate its privileges.
Description: A logic issue was tackled with enhanced state management.
CVE-2024-54465: an anonymous researcher
libexpat
Available for: macOS Sequoia
Impact: A remote attacker may cause unexpected termination of the app or arbitrary code execution.
Description: This issue involves a vulnerability in open-source code affecting Apple Software. A third party assigned the CVE-ID. More information is available at cve.org.
CVE-2024-45490
libxpc
Available for: macOS Sequoia
Impact: An application could escape its sandbox constraints.
Description: This issue was resolved through enhanced checks.
CVE-2024-54514: an anonymous researcher
libxpc
Available for: macOS Sequoia
Impact: An application could gain elevated permissions.
Description: This logic issue was resolved through enhanced validation processes.
CVE-2024-44225: 风沐云烟(@binary_fmyy)
Logging
Available for: macOS Sequoia
Impact: A malicious application might determine a user’s current location.
Description: This issue was mitigated by sanitizing logging outputs.
CVE-2024-54491: Kirin (@Pwnrin)
MediaRemote
Available for: macOS Sequoia
Impact: An application may have access to sensitive user data.
Description: The issue was resolved via logging sanitation.
CVE-2024-54484: Meng Zhang (鲸落) of NorthSea
Notification Center
Available for: macOS Sequoia
Impact: An application may access sensitive user information.
Description: A privacy concern was addressed with enhanced redaction of private data in logs.
CVE-2024-54504: 神罚(@Pwnrin)
PackageKit
Available for: macOS Sequoia
Impact: An application may have access to user-sensitive data.
Description: This issue was addressed with improved checks.
CVE-2024-54474: Mickey Jin (@patch1t)
CVE-2024-54476: Mickey Jin (@patch1t), Bohdan Stasiuk (@Bohdan_Stasiuk)
Passwords
Available for: macOS Sequoia
Impact: An attacker in a privileged network position could alter network traffic.
Description: This issue was resolved by employing HTTPS for network transmissions.
CVE-2024-54492: Talal Haj Bakry and Tommy Mysk of Mysk Inc. (@mysk_co)
Perl
Available for: macOS Sequoia
Impact: An application might modify protected regions of the file system.
Description: This logic issue was addressed through improved state management.
CVE-2023-32395: Arsenii Kostromin (0x3c3e)
Safari
Available for: macOS Sequoia
Impact: On devices with Private Relay enabled, adding a site to the Safari Reading List could expose the originating IP address.
Description: The issue was addressed by enhancing the routing of Safari-initiated requests.
CVE-2024-44246: Jacob Braun
SceneKit
Available for: macOS Sequoia
Impact: Processing a malicious file may lead to denial of service.
Description: This issue was resolved through improved validation.
CVE-2024-54501: Michael DePlante (@izobashi) of Trend Micro’s Zero Day Initiative
SharedFileList
Available for: macOS Sequoia
Impact: A malicious application may gain root permissions.
Description: This logic issue was resolved with stricter restrictions.
CVE-2024-54515: an anonymous researcher
SharedFileList
Available for: macOS Sequoia
Impact: An application could overwrite arbitrary files.
Description: A logic issue was addressed with enhanced validations.
CVE-2024-54528: an anonymous researcher
SharedFileList
Available for: macOS Sequoia
Impact: A malicious application may access arbitrary files.
Description: This logic issue was mitigated with enhanced file handling.
CVE-2024-54524: an anonymous researcher
SharedFileList
Available for: macOS Sequoia
Impact: An application could escape its sandbox.
Description: A path handling issue was addressed with improved validations.
CVE-2024-54498: an anonymous researcher
Shortcuts
Available for: macOS Sequoia
Impact: Privacy indicators for microphone access may not be accurately represented.
Description: This issue was rectified through improved state management.
CVE-2024-54493: Yokesh Muthu K
StorageKit
Available for: macOS Sequoia
Impact: An application could modify protected file system regions.
Description: A configuration issue was resolved with stricter restrictions.
CVE-2024-44243: Mickey Jin (@patch1t), Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft
StorageKit
Available for: macOS Sequoia
Impact: A malicious application might gain root privileges.
Description: This permissions issue was addressed with stronger restrictions.
CVE-2024-44224: Amy (@asentientbot)
Swift
Available for: macOS Sequoia
Impact: An application could modify protected areas of the file system.
Description: The issue was resolved through enhanced permissions logic.
CVE-2024-54495: Claudio Bozzato and Francesco Benvenuto of Cisco Talos, Arsenii Kostromin (0x3c3e)
WebKit
Available for: macOS Sequoia
Impact: Processing maliciously crafted web content may lead to unexpected crashes.
Description: The issue was addressed through improved checks.
WebKit Bugzilla: 278497
CVE-2024-54479: Seunghyun Lee
WebKit Bugzilla: 281912
CVE-2024-54502: Brendon Tiszka of Google Project Zero
WebKit
Available for: macOS Sequoia
Impact: Processing malicious web content may cause unexpected crashes.
Description: The issue was corrected through improved memory management.
WebKit Bugzilla: 282180
CVE-2024-54508: linjy of HKUS3Lab, chluo of WHUSecLab, Xiangwei Zhang of Tencent Security YUNDING LAB
WebKit
Available for: macOS Sequoia
Impact: Handling malicious web content may lead to memory corruption.
Description: This type confusion issue was resolved through improved memory management.
WebKit Bugzilla: 282661
CVE-2024-54505: Gary Kwong
Apple also acknowledges the security fixes for both iOS 18.2 and macOS 15.2.
ʟᴀᴛᴇꜱᴛ ᴀᴘᴘʟᴇ ᴀᴄᴄᴇꜱꜜᴏʀʏ ʀᴇᴄᴏᴍᴍᴇɴᴅᴀᴛɪᴏɴꜱ
Follow Zac: X, Bluesky, Instagram / Shop Apple on Amazon to support my work 🙏
FTC: We use income earning auto affiliate links. More.
