Apple regularly publishes lists of fixed vulnerabilities for iPhone, iPad, and Mac after each software update. As luck would have it, the company has published an extensive list of security fixes included in today's iOS 18.2 and macOS Sequoia 15.2 software updates. As always, we recommend upgrading as soon as possible to protect your devices from these security threats.
Samsung S90D OLED TVs (Up to $1,900 Off!)
Here are the fixes delivered today for iPhone, iPad, and Mac:
Table of Contents
- iOS 18.2
- macOS 15.2
iOS 18.2
AppleMobileFileIntegrity
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: A malicious app may be able to access personal information
Description: This issue was addressed through improved checks.
CVE-2024-54526: Mickey Jean (@patch1t), Arseniy Kostromin (0x3c3e)
AppleMobileFileIntegrity
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An app can access sensitive user data
Description: This issue was addressed with improved checks.
CVE-2024-54527: Mickey Jean (@patch1t)
Audio
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Muting the volume during a call may not unmute the call
Description: An inconsistent user experience issue was addressed with improved state management.
CVE-2024-54503: Michael Chukwu and an anonymous researcher
Crash Reporter
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An app can access sensitive user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-54513: An anonymous researcher
FontParser
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Handling a maliciously crafted font may lead to disclosure of process memory
Description: This issue was addressed through improved checks.
CVE-2024-54486: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
ImageIO
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Processing a maliciously crafted image may lead to disclosure of process memory
Description: This issue was addressed through improved validations.
CVE-2024-54500: Junsung Lee working with Trend Micro's Zero Day Initiative
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An attacker can create a read-only memory mapping that is writable
Description: A race condition was addressed through additional validation.
CVE-2024-54494: sohybbyk
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An application can leak sensitive kernel state
Description: A race condition was mitigated using improved locking.
CVE-2024-54510: Joseph Ravichandran (@0xjprx) of MIT CSAIL
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An app can cause an unexpected system termination or kernel memory corruption
Description: This issue was addressed through improved memory handling.
CVE-2024-44245: Anonymous Researcher
libexpat
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: This is an open source vulnerability and Apple Software is one of the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and the CVE ID at cve.org.
CVE-2024-45490
libxpc
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An application can escape its sandbox
Description: An issue was addressed through improved checks.
CVE-2024-54514: Anonymous researcher
libxpc
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An app can gain elevated privileges
Description: A logic issue was addressed through improved validation.
CVE-2024-44225: 风沐云烟(@binary_fmyy)
Passwords
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An attacker in a privileged network position may be able to modify network traffic
Description: This issue was addressed by using HTTPS when sending information over the network.
CVE-2024-54492: Talal Hajj Bakri and Tommy Mysk of Mysk Inc. (@mysk_co)
Safari
Available on: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: On a device with Private Relay enabled, adding a website to Safari's Reading List may reveal the website's origin IP address.
Description: This issue was addressed through improved routing of requests originating from Safari.
CVE-2024-44246: Jacob Braun
SceneKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch (3rd generation) and later, iPad Pro 11-inch (1st generation) and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Processing a maliciously crafted file may lead to a denial of service.
Description: This issue was addressed through improved checks.
CVE-2024-54501: Michael DePlante (@izobashi) from Trend Micro's Zero Day Initiative
VoiceOver
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: An attacker with physical access to an iOS device may be able to view the contents of notifications from the lock screen
Description: This issue was addressed by adding additional logic.
CVE-2024-54485: Abhay Kailasia (@abhay_kailasia) of C-DAC Thiruvananthapuram India
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Processing maliciously crafted web content could cause a process to crash unexpectedly
Description: This issue was addressed with improved checks.
WebKit Bugzilla: 278497
CVE-2024-54479: Seunghyun Lee
WebKit Bugzilla: 281912
CVE-2024-54502: Brendon Tiszka of Google Project Zero
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Handling maliciously crafted web content could cause the process to crash unexpectedly
Description: This issue was addressed with improved memory handling.
WebKit Bugzilla: 282180
CVE-2024-54508: linjy of HKUS3Lab and chluo of WHUSecLab, Xiangwei Zhang of Tencent Security YUNDING LAB
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: A type confusion issue was addressed through improved memory handling.
WebKit Bugzilla: 282661
CVE-2024-54505: Gary Kwong
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: An issue was addressed through improved memory handling.
WebKit Bugzilla: 277967
CVE-2024-54534: Tashita Software Security
macOS 15.2
Apple Software Recovery
Available for: macOS Sequoia
Impact: An app may be able to access sensitive user data
Samsung The Frame 4K TV (30+ off)
Description: The issue was addressed through improved checks.
CVE-2024-54477: Mickey Jean (@patch1t), Csaba Fitzl (@theevilbit) of Kandji
AppleGraphicsControl
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: Parsing a maliciously crafted video file may lead to an unexpected system termination
Description: This issue was addressed through improved memory handling.
CVE-2024-44220: D4m0n
AppleMobileFileIntegrity
Samsung T7 Portable SSD (30+ off)
Available for: macOS Sequoia
Impact: A malicious application may be able to access personally identifiable information
Description: This issue was addressed through improved checks.
CVE-2024-54526: Mickey Jean (@patch1t), Arseniy Kostromin (0x3c3e)
AppleMobileFileIntegrity
Available for: macOS Sequoia
Impact: An application may be able to access sensitive user data
Description: This issue was addressed through improved checks.
CVE-2024-54527: Mickey Jean (@patch1t)
AppleMobileFileIntegrity
Available for: macOS Sequoia
Impact: A local attacker may be able to gain access to items in a user's keychain.
Description: This issue was addressed by enabling the Protected Execution Environment.
CVE-2024-54490: Mickey Jean (@patch1t)
Audio
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved checks.
CVE-2024-54529: Dillon Franke working with Google Project Zero
Crash Reporter
Available to: macOS Sequoia
Impact: An application can access sensitive user data
Description: A permissions issue was addressed with additional restrictions.
CVE-2024-54513: Anonymous Researcher
Crash Reporter
Available to: macOS Sequoia
Impact: An application can access sensitive user data
Description: A logic issue was addressed with improved file handling.
CVE-2024-44300: Anonymous Researcher
DiskArbitration
Available to: macOS Sequoia
Impact: another user can access the encrypted volume without asking for a password
Description: An authorization issue was addressed through improved state management.
CVE-2024-54466: Michael Cohen
Disk Utility
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: Running a mount command may unexpectedly execute arbitrary code
Description: A path handling issue was addressed through improved validation.
CVE-2024-54489: D'Angelo Gonzalez of CrowdStrike
FontParser
Available for: macOS Sequoia
Impact: Processing a maliciously crafted font may lead to disclosure of process memory
Description: An issue was addressed through improved checks.
CVE-2024-54486: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
Foundation
Available to: macOS Sequoia
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed through improved file handling.
CVE-2024-44291: Arseniy Kostromin (0x3c3e)
ImageIO
Available to: macOS Sequoia
Impact: Processing a maliciously crafted image may lead to disclosure of process memory
Description: An issue was addressed through improved checks.
CVE-2024-54500: Junsung Lee working with Trend Micro Zero Day Initiative
IOMobileFrameBuffer
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: An attacker may be able to cause an unexpected system termination or arbitrary code execution in the DCP firmware
Description: An out-of-bounds access issue was addressed through improved bounds checking.
CVE-2024-54506: Ye Zhang (@VAR10CK) of Baidu Security
Kernel
Available to: macOS Sequoia
Impact: An attacker may be able to create a writable read-only memory mapping
Description: A race condition was addressed through additional validation.
CVE-2024-54494: sohybbyk
Kernel
Available to: macOS Sequoia
Impact: An application can leak sensitive kernel state
Description: A race condition was addressed through improved locking.
CVE-2024-54510: Joseph Ravichandran (@0xjprx) of MIT CSAIL
Kernel
Available to: macOS Sequoia
Impact: An application can cause an unexpected system termination or kernel memory corruption
Description: An issue was addressed through improved memory handling.
CVE-2024-44245: anonymous researcher
Kernel
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: An application can bypass kASLR
Description: An issue was addressed with improved memory handling.
CVE-2024-54531: Hyerean Jang, Taehun Kim, and Youngjoo Shin
LaunchServices
Available to: macOS Sequoia
Impact: An application can escalate privileges
Description: A logic issue was addressed with improved state management.
CVE-2024-54465: Anonymous Researcher
libexpat
Available to: macOS Sequoia
Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: This is an open source vulnerability and Apple Software is one of the affected projects. The CVE-ID was assigned by a third party. For more information on the issue and CVE-ID, see cve.org.
CVE-2024-45490
libxpc
Available for: macOS Sequoia
Impact: An application can escape its sandbox
Description: This issue was addressed through improved checks.
CVE-2024-54514: Anonymous researcher
libxpc
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: An application could gain elevated privileges
Description: A logic issue was addressed through improved checks.
CVE-2024-44225: 风沐云烟(@binary_fmyy)
Logging
Available to: macOS Sequoia
Impact: A malicious application could determine the user's current location
Description: The issue was addressed by clearing the log
CVE-2024-54491: Kirin (@Pwnrin)
MediaRemote
Available to: macOS Sequoia
Impact: An application could access sensitive user data
Description: The issue was addressed by clearing the log.
CVE-2024-54484: Meng Zhang (鲸落) of NorthSea
Notification Center
Available for: macOS Sequoia
Impact: The app may access your sensitive data
Samsung The Frame 4K TV (30+ off)
Description: A privacy issue was addressed through improved personal data editing for log entries.
CVE-2024-54504: 神罚(@Pwnrin)
PackageKit
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: An application may be able to access sensitive user data
Description: This issue was addressed through improved checks.
CVE-2024-54474: Mickey Jean (@patch1t)
CVE-2024-54476: Mickey Jean (@patch1t), Bohdan Stasiuk (@Bohdan_Stasiuk)
Passwords
Available for: macOS Sequoia
Impact: An attacker in a privileged network position may be able to modify network traffic
Description: This issue was addressed by using HTTPS when sending information over the network.
CVE-2024-54492: Talal Haj Bakri and Tommy Mysk of Mysk Inc. (@mysk_co)
Perl
Available for: macOS Sequoia
Impact: An application can modify protected parts of the filesystem
Description: A logic issue was addressed through improved state management.
CVE-2023-32395: Arseniy Kostromin (0x3c3e)
Safari
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: On a device with Private Relay enabled, adding a website to Safari's Reading List may reveal the website's originating IP address.
Description: This issue was addressed through improved routing of requests originating from Safari.
CVE-2024-44246: Jacob Braun
SceneKit
Available to: macOS Sequoia
Impact: Processing a maliciously crafted file may lead to denial of service.
Description: This issue was addressed through improved checks.
CVE-2024-54501: Michael DePlante (@izobashi) of Trend Micro's Zero Day Initiative
SharedFileList
Available to: macOS Sequoia
Impact: A malicious application may be able to gain root privileges.
Description: A logic issue was addressed with improved constraints.
CVE-2024-54515: Anonymous researcher
SharedFileList
Available for: macOS Sequoia
Impact: An application can overwrite arbitrary files
Description: A logic issue was addressed with improved restrictions.
CVE-2024-54528: Anonymous Researcher
SharedFileList
Available on: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: A malicious application may be able to access arbitrary files
Description: A logic issue was addressed through improved file handling.
CVE-2024-54524: Anonymous researcher
SharedFileList
Available to: macOS Sequoia
Impact: An application can escape its sandbox
Description: An issue in path handling was addressed with improved validation.
CVE-2024-54498: Anonymous Researcher
Keyboard Shortcuts
Available to: macOS Sequoia
Impact: Microphone access privacy indicators may be incorrectly attributed
Description: This issue was addressed with improved state management.
CVE-2024-54493: Yokesh Muthu K
StorageKit
Available to: macOS Sequoia
Impact: An application can modify protected parts of the filesystem
Description: Configuration issue resolved with additional constraints.
CVE-2024-44243: Mickey Jean (@patch1t), Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft
StorageKit
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: A malicious application may be able to gain root privileges
Description: A permissions issue was addressed through additional restrictions.
CVE-2024-44224: Amy (@asentientbot)
Swift
Available for: macOS Sequoia
Impact: An application may be able to modify protected parts of the file system
Description: This issue was addressed through improved permissions logic.
CVE-2024-54495: Claudio Bozzato and Francesco Benvenuto of Cisco Talos, Arseniy Kostromin (0x3c3e)
WebKit
Available for: macOS Sequoia
Impact: Processing maliciously crafted web content may cause the process to crash unexpectedly
Description: This issue was addressed through improved checks.
WebKit Bugzilla: 278497
CVE-2024-54479: Seunghyun Lee
WebKit Bugzilla: 281912
CVE-2024-54502: Brandon Tiszka of Google Project Zero
WebKit
Available for: macOS Sequoia
Impact: Processing maliciously crafted web content may cause the process to crash unexpectedly
Description: This issue was addressed through improved memory handling.
WebKit Bugzilla: 282180
CVE-2024-54508: linjy from HKUS3Lab and chluo from WHUSecLab, Xiangwei Zhang from Tencent Security YUNDING LAB
WebKit
Available for: macOS Sequoia
Samsung X5 Thunderbolt SSD
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: A type confusion issue was addressed through improved memory handling.
WebKit Bugzilla: 282661
CVE-2024-54505: Gary Kwong
WebKit
Available for: macOS Sequoia
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: An issue was addressed through improved memory handling.
WebKit Bugzilla: 277967
CVE-2024-54534: Tashita Software Security
Apple is providing additional acknowledgment for the security fixes in iOS 18.2 and macOS 15.2.
ʟᴀᴛᴇꜱᴛ ᴀᴘᴘʟᴇ ᴀᴄᴄᴇꜱꜱᴏʀʏ ʀᴇᴄᴏᴍᴍᴇɴᴅᴀᴛɪᴏɴꜱ
- SCUF NOMAD Wireless Mobile Gaming Controller for iPhone
- Anker MagGo Wireless Charging Station
- Sony WH-1000XM5 Wireless Noise-Canceling Headphones
- Apple Beats by Dr. Dre Studio Buds
- Anker 621 Portable Magnetic Charger
Follow Zac: X, Bluesky, Instagram/Apple Store on Amazon supports my work 🙏
