CVE-2024-44296
Description
The issue was addressed with improved checks. This issue is fixed in Safari 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, tvOS 18.1, visionOS 2.1, watchOS 11.1. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Processing maliciously crafted web content can bypass Content Security Policy enforcement in Apple's Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.
Vulnerability
Description
CVE-2024-44296 is a logic issue in Apple's Web Content processing that allows a crafted web page to bypass Content Security Policy (CSP) enforcement. The root cause was insufficient validation of certain policy directives, which could be manipulated to disable CSP protections [1][2]. Apple addressed the flaw with improved checks across affected platforms.
Exploitation
Scenario
An attacker can exploit this vulnerability by convincing a user to visit a maliciously crafted website. No additional authentication or physical access is required; the attack is entirely web-based. The victim's browser must be running an unpatched version of Safari or WebKit on any affected Apple operating system [1][2][3][4].
Impact
Successful exploitation prevents the Content Security Policy from being enforced, allowing the attacker to bypass security controls designed to mitigate cross-site scripting (XSS) and data injection attacks. This could lead to arbitrary script execution in the context of the victim's browsing session, exposing sensitive user data or enabling further malicious actions [1].
Mitigation
Apple has released patches in Safari 18.1, iOS 17.7.1 and 18.1, iPadOS 17.7.1 and 18.1, macOS Sequoia 15.1, tvOS 18.1, visionOS 2.1, and watchOS 11.1 [1][2][3][4]. Users should update their devices immediately. There is no evidence this CVE is listed in CISA's Known Exploited Vulnerabilities catalog, but prompt patching is recommended.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
47- osv-coords40 versionspkg:rpm/almalinux/webkit2gtk3pkg:rpm/almalinux/webkit2gtk3-develpkg:rpm/almalinux/webkit2gtk3-jscpkg:rpm/almalinux/webkit2gtk3-jsc-develpkg:rpm/opensuse/webkit2gtk3&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/webkit2gtk3&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/webkit2gtk3-soup2&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/webkit2gtk3-soup2&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/webkit2gtk4&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/webkit2gtk4&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/webkit2gtk3-soup2&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/webkit2gtk4&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 2.46.3-1.el9_5+ 39 more
- (no CPE)range: < 2.46.3-1.el9_5
- (no CPE)range: < 2.46.3-1.el9_5
- (no CPE)range: < 2.46.3-1.el9_5
- (no CPE)range: < 2.46.3-1.el9_5
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-4.18.2
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150200.127.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-4.18.2
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150600.12.16.1
- (no CPE)range: < 2.46.3-150400.4.97.1
- (no CPE)range: < 2.46.3-150400.4.97.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- support.apple.com/en-us/121563nvdVendor Advisory
- support.apple.com/en-us/121564nvdVendor Advisory
- support.apple.com/en-us/121565nvdVendor Advisory
- support.apple.com/en-us/121566nvdVendor Advisory
- support.apple.com/en-us/121567nvdVendor Advisory
- support.apple.com/en-us/121569nvdVendor Advisory
- support.apple.com/en-us/121571nvdVendor Advisory
- seclists.org/fulldisclosure/2024/Oct/11nvd
- seclists.org/fulldisclosure/2024/Oct/16nvd
- seclists.org/fulldisclosure/2024/Oct/19nvd
- seclists.org/fulldisclosure/2024/Oct/9nvd
- lists.debian.org/debian-lts-announce/2024/11/msg00019.htmlnvd
News mentions
0No linked articles in our index yet.