Medium severity6.5NVD Advisory· Published Jun 10, 2024· Updated Apr 2, 2026

CVE-2024-27838

Description

The issue was addressed by adding additional logic. This issue is fixed in Safari 17.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2, watchOS 10.5. A maliciously crafted webpage may be able to fingerprint the user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A malicious webpage can fingerprint users due to a logic issue in WebKit, fixed in Safari 17.5 and other Apple OS updates.

Vulnerability

Overview

CVE-2024-27838 is a medium-severity (CVSS 6.5) privacy concern in Apple's WebKit rendering engine, which is used by Safari and many other apps. The root cause is a logic flaw in how the browser handles certain web content, allowing a maliciously crafted webpage to bypass protections and fingerprint the user's device or identity without consent. Apple addressed the issue by adding additional logic to prevent this fingerprinting [1].

Attack

Surface and Exploitation

The vulnerability is exploitable solely by convincing a user to visit a specially crafted webpage (no additional local access or privileges required). The attack is network-based and low complexity, as the webpage can be delivered via any standard web link. No authentication or user interaction beyond loading the page is needed, meaning a drive-by attack in a phishing email or a compromised advertisement could trigger the issue.

Impact

Successful exploitation allows an attacker to fingerprint the user, i.e., to collect unique or identifiable device and browser characteristics (such as screen resolution, installed fonts, or other browser-accessible details) that can be used to track the user across the web or link browsing sessions to a specific identity. This undermines user privacy protections that modern browsers typically implement.

Mitigation

Apple has fixed the issue in the following released versions: Safari 17.5, iOS 16.7.8, iPadOS 16.7.8, iOS 17.5, iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2, and watchOS 10.5 [1]. Users are strongly advised to update their devices to these latest versions. No workarounds are documented; the only mitigation is applying the vendor-supplied patch.

References

About the security content of iOS 17.5 and iPadOS 17.5 - Apple Support

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <17.5
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <16.7.8
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <16.7.8
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: >=14.0,<14.5
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <17.5
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <1.2
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <10.5
osv-coords31 versions
pkg:rpm/almalinux/webkit2gtk3 pkg:rpm/almalinux/webkit2gtk3-devel pkg:rpm/almalinux/webkit2gtk3-jsc pkg:rpm/almalinux/webkit2gtk3-jsc-devel pkg:rpm/opensuse/webkit2gtk3&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/webkit2gtk3-soup2&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/webkit2gtk4&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5 pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6 pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5 pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6 pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 2.46.1-2.el9_4+ 30 more
- (no CPE)range: < 2.46.1-2.el9_4
- (no CPE)range: < 2.46.1-2.el9_4
- (no CPE)range: < 2.46.1-2.el9_4
- (no CPE)range: < 2.46.1-2.el9_4
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-150200.121.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-4.15.1
- (no CPE)range: < 2.46.0-150200.121.1
- (no CPE)range: < 2.46.0-150200.121.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150200.121.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-4.15.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-150600.12.12.1
- (no CPE)range: < 2.46.0-150400.4.91.1
- (no CPE)range: < 2.46.0-150400.4.91.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2024/Jun/5nvdMailing ListThird Party Advisory
support.apple.com/en-us/HT214100nvdVendor Advisory
support.apple.com/en-us/HT214101nvdVendor Advisory
support.apple.com/en-us/HT214102nvdVendor Advisory
support.apple.com/en-us/HT214103nvdVendor Advisory
support.apple.com/en-us/HT214104nvdVendor Advisory
support.apple.com/en-us/HT214106nvdVendor Advisory
support.apple.com/en-us/HT214108nvdVendor Advisory
support.apple.com/en-us/120896nvd
support.apple.com/en-us/120898nvd
support.apple.com/en-us/120901nvd
support.apple.com/en-us/120902nvd
support.apple.com/en-us/120903nvd
support.apple.com/en-us/120905nvd
support.apple.com/en-us/120906nvd
support.apple.com/kb/HT214100nvd
support.apple.com/kb/HT214102nvd
support.apple.com/kb/HT214104nvd
support.apple.com/kb/HT214106nvd
support.apple.com/kb/HT214108nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000