CVE-2024-44261

Vulnerability

An information disclosure vulnerability exists in the lock screen of iOS and iPadOS. The issue allows an attacker with physical access to a locked device to view restricted content that should be hidden. This is due to the device offering options on a locked device that are not properly restricted. The vulnerability affects devices running iOS versions prior to 17.7.1 and 18.1, and iPadOS versions prior to 17.7.1 and 18.1. [1][2]

Exploitation

To exploit this vulnerability, an attacker needs physical access to a locked device. No authentication is required. The attacker can interact with the lock screen in a way that reveals sensitive user information. The exact method is not publicly detailed, but it likely involves manipulating lock screen features.

Impact

Successful exploitation allows an attacker to view sensitive user information, such as notifications or other restricted content, that is normally protected when the device is locked. This is a confidentiality breach, but does not grant further privileges or persistence.

Mitigation

Apple addressed this issue in iOS 17.7.1, iPadOS 17.7.1, iOS 18.1, and iPadOS 18.1, released on October 28, 2024. Users should update to these versions or later to protect their devices. No known workarounds exist.