CVE-2024-40776 – A use-after-free vulnerability in Apple's WebKi... (How to Fix)

Q: What is the severity of CVE-2024-40776?

CVE-2024-40776 has a CVSS score of 4.3 (MEDIUM). A use-after-free vulnerability in Apple's WebKit browser engine allows processing malicious web content to cause unexpected process crashes. This affects users of Safari and Apple devices running vulnerable iOS, iPadOS, watchOS, tvOS, visionOS, and macOS versions. The vulnerability could potentially be leveraged for denial of service or further exploitation.

📋 TL;DR

A use-after-free vulnerability in Apple's WebKit browser engine allows processing malicious web content to cause unexpected process crashes. This affects users of Safari and Apple devices running vulnerable iOS, iPadOS, watchOS, tvOS, visionOS, and macOS versions. The vulnerability could potentially be leveraged for denial of service or further exploitation.

💻 Affected Systems

Products:

Safari
iOS
iPadOS
watchOS
tvOS
visionOS
macOS

Versions: Versions prior to iOS 16.7.9, iPadOS 16.7.9, Safari 17.6, iOS 17.6, iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6

Operating Systems: iOS, iPadOS, watchOS, tvOS, visionOS, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Apple products are vulnerable. The vulnerability is in WebKit, which powers Safari and other Apple web-rendering components.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Safari by Apple

View all CVEs affecting Safari →

Tvos by Apple

View all CVEs affecting Tvos →

Visionos by Apple

View all CVEs affecting Visionos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Potential remote code execution leading to complete system compromise if combined with other vulnerabilities, though this requires chaining with additional exploits.

🟠

Likely Case

Denial of service through browser/application crashes when processing malicious web content.

🟢

If Mitigated

Limited to application crashes with no data loss if proper sandboxing and memory protections are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Use-after-free vulnerabilities typically require precise timing and memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 16.7.9, iPadOS 16.7.9, Safari 17.6, iOS 17.6, iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6

Vendor Advisory: https://support.apple.com/en-us/HT214108

Restart Required: Yes

Instructions:

1. Open Settings app. 2. Go to General > Software Update. 3. Install available updates. 4. Restart device when prompted. For macOS: 1. Open System Settings. 2. Go to General > Software Update. 3. Install available updates. 4. Restart computer.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript in Safari to prevent exploitation through malicious web content

Safari > Settings > Security > Uncheck 'Enable JavaScript'

Use Alternative Browser

all

Use non-WebKit based browsers (Chrome, Firefox) until patches are applied

🧯 If You Can't Patch

Implement web content filtering to block known malicious sites
Use application whitelisting to restrict execution of unauthorized processes

🔍 How to Verify

Check if Vulnerable:

Check current OS/browser version against patched versions listed in affected_systems.versions

Check Version:

iOS/iPadOS: Settings > General > About > Version; macOS: Apple menu > About This Mac; Safari: Safari menu > About Safari

Verify Fix Applied:

Verify OS/browser version matches or exceeds patched versions: iOS/iPadOS 16.7.9+, Safari 17.6+, iOS/iPadOS 17.6+, watchOS 10.6+, tvOS 17.6+, visionOS 1.3+, macOS Sonoma 14.6+

📡 Detection & Monitoring

Log Indicators:

Safari/WebKit process crashes
Unexpected browser/application terminations
Memory access violation logs

Network Indicators:

Connections to known malicious domains serving web content
Unusual web traffic patterns to suspicious sites

SIEM Query:

source="*" (process_name="Safari" OR process_name="WebKit") AND (event_type="crash" OR error="EXC_BAD_ACCESS" OR error="segmentation fault")

📊 Metadata

CVE ID: CVE-2024-40776

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-416

Published: July 29, 2024

Last Updated: November 4, 2025

🔗 References

http://seclists.org/fulldisclosure/2024/Jul/15 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/16 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/17 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/18 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/21 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/22 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/23 Mailing List,Third Party Advisory
https://support.apple.com/en-us/HT214116 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214117 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214119 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214121 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214122 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214123 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214124 Release Notes,Vendor Advisory
https://www.secpod.com/blog/apple-fixes-multiple-security-vulnerabilities-in-july-2024-updates/ Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/15 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/16 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/17 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/18 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/21 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/22 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/23 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00006.html
https://support.apple.com/en-us/HT214116 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214117 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214119 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214121 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214122 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214123 Release Notes,Vendor Advisory
https://support.apple.com/en-us/HT214124 Release Notes,Vendor Advisory
https://support.apple.com/kb/HT214116
https://support.apple.com/kb/HT214117
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214122
https://support.apple.com/kb/HT214123
https://support.apple.com/kb/HT214124

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40776, you might also want to check these: