CVE-2024-54478 – This CVE describes an out-of-bounds memory acce... (How to Fix)

Q: What is the severity of CVE-2024-54478?

CVE-2024-54478 has a CVSS score of 6.5 (MEDIUM). This CVE describes an out-of-bounds memory access vulnerability in Apple's web content processing components. Attackers can cause unexpected process crashes by tricking users into visiting malicious websites. Affects users of Apple devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.

📋 TL;DR

This CVE describes an out-of-bounds memory access vulnerability in Apple's web content processing components. Attackers can cause unexpected process crashes by tricking users into visiting malicious websites. Affects users of Apple devices running vulnerable versions of iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.

💻 Affected Systems

Products:

Safari
WebKit-based applications
Apple operating systems

Versions: Versions prior to iPadOS 17.7.4, visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2, iPadOS 18.2, macOS Sonoma 14.7.2, macOS Sequoia 15.2

Operating Systems: iOS, iPadOS, macOS, tvOS, watchOS, visionOS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices using WebKit for web content rendering are affected by default.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

Visionos by Apple

View all CVEs affecting Visionos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Potential arbitrary code execution leading to full device compromise if combined with other vulnerabilities, though Apple's sandboxing would limit impact.

🟠

Likely Case

Denial of service through application or browser crashes when processing malicious web content.

🟢

If Mitigated

Minimal impact with proper patching and security controls in place.

🌐 Internet-Facing: HIGH - Exploitation requires only visiting a malicious website, making internet-facing devices particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Apple has patched this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iPadOS 17.7.4, visionOS 2.2, tvOS 18.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2, macOS Sonoma 14.7.2, macOS Sequoia 15.2

Vendor Advisory: https://support.apple.com/en-us/121837

Restart Required: Yes

Instructions:

1. Go to Settings > General > Software Update on iOS/iPadOS/watchOS. 2. Go to System Settings > General > Software Update on macOS. 3. Install the latest available update. 4. Restart device after installation.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript in Safari to prevent exploitation via web content.

Use Alternative Browser

all

Use browsers not based on WebKit until patches are applied.

🧯 If You Can't Patch

Implement web content filtering to block malicious sites
Restrict browsing to trusted websites only

🔍 How to Verify

Check if Vulnerable:

Check current OS version against patched versions listed in Apple advisories.

Check Version:

iOS/iPadOS: Settings > General > About > Version. macOS: Apple menu > About This Mac > macOS version.

Verify Fix Applied:

Verify OS version matches or exceeds patched versions: iOS/iPadOS 18.2+, macOS Sequoia 15.2+, etc.

📡 Detection & Monitoring

Log Indicators:

Unexpected Safari/WebKit process crashes
Memory access violation logs

Network Indicators:

Connections to suspicious domains followed by browser crashes

SIEM Query:

source="apple_system_logs" AND (process="Safari" OR process="WebKit") AND event="crash"

📊 Metadata

CVE ID: CVE-2024-54478

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.28% exploit probability (50.8th percentile)

Published: January 27, 2025

Last Updated: November 3, 2025

🔗 References

https://support.apple.com/en-us/121837 Release Notes,Vendor Advisory
https://support.apple.com/en-us/121839 Release Notes,Vendor Advisory
https://support.apple.com/en-us/121840 Release Notes,Vendor Advisory
https://support.apple.com/en-us/121843 Release Notes,Vendor Advisory
https://support.apple.com/en-us/121844 Release Notes,Vendor Advisory
https://support.apple.com/en-us/121845 Release Notes,Vendor Advisory
https://support.apple.com/en-us/122067 Release Notes,Vendor Advisory
http://seclists.org/fulldisclosure/2025/Jan/14

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54478, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ipados by Apple

Ipados by Apple

Iphone Os by Apple

Macos by Apple

Macos by Apple

Tvos by Apple

Visionos by Apple

Watchos by Apple

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript

Use Alternative Browser

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities