VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Dec 12, 2024· Updated Apr 2, 2026

CVE-2024-54486

CVE-2024-54486

Description

The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. Processing a maliciously crafted font may result in the disclosure of process memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Processing a maliciously crafted font can disclose process memory; Apple fixed it in multiple OS updates.

CVE-2024-54486 is a memory disclosure vulnerability in Apple's font parsing engine. The issue stems from insufficient validation when processing crafted font files, allowing an attacker to read portions of process memory that may contain sensitive data.

Exploitation requires the victim to process a malicious font, which can occur through web content, email attachments, or document previews. No special privileges or user interaction beyond normal usage is needed, making it a remotely triggerable information leak.

A successful attack could expose kernel or application memory, potentially leaking credentials, encryption keys, or other confidential information. The CVSS v3 base score of 6.5 reflects the medium severity due to the need for user interaction and the confidentiality impact.

Apple addressed the vulnerability with improved checks in iOS 18.2, iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, visionOS 2.2, and watchOS 11.2 [1][2][3][4]. Users are advised to update their devices to the latest available versions.

References
  1. About the security content of macOS Sequoia 15.2 - Apple Support
  2. About the security content of iOS18.2 and iPadOS18.2 - Apple Support
  3. About the security content of macOSSonoma14.7.2 - Apple Support
  4. About the security content of macOSVentura13.7.2 - Apple Support

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Apple Inc./Ipados2 versions
    cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*range: <17.7.3
    • (no CPE)range: <18.2, <17.7.3
  • Apple Inc./Iphone Os
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
    Range: <18.2
  • Apple Inc./macOS2 versions
    cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*range: <13.7.2
    • (no CPE)range: <15.2, <14.7.2, <13.7.2
  • Apple Inc./tvOS
    cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
    Range: <18.2
  • Apple Inc./Visionos
    cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
    Range: <2.2
  • Apple Inc./watchOS
    cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
    Range: <11.2
  • Apple Inc./iOSllm-fuzzy
    Range: <18.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.