CVE-2024-54514
Description
The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, watchOS 11.2. An app may be able to break out of its sandbox.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-54514 is a sandbox escape vulnerability in Apple operating systems, patched in December 2024 updates.
Root
Cause and Affected Systems
CVE-2024-54514 is a logic issue in the kernel or system service responsible for enforcing application sandbox restrictions on Apple platforms. The vulnerability allows a malicious application to break out of its sandbox and access system resources or user data that would normally be restricted [1][2]. The flaw was addressed with improved checks and file handling, and is present in iOS 18.2, iPadOS 18.2, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, and watchOS 11.2 [1][2][3][4]. Notably, several related vulnerabilities (such as CVE-2024-54488, which exposes the Hidden Photos Album without authentication) were also fixed in the same releases, indicating a broader audit of file handling and access controls.
Attack
Vector and Prerequisites
To exploit CVE-2024-54514, an attacker must first have the ability to run an app on the target device—this could be a legitimate but malicious app distributed through the App Store or sideloaded on jailbroken devices. No additional authentication is required beyond that point; the exploit occurs at the application layer, leveraging improperly validated operations that bypass the sandbox. The vulnerability does not require physical access or network proximity, making it a local privilege escalation after initial code execution [1][2].
Impact
Successful exploitation gives an attacker an elevated ability to execute arbitrary code with the privileges of the sandboxed process, but outside its intended restrictions. This could lead to unauthorized access to files, sensitive user information (such as contacts, photos, or Keychain items), or the ability to install additional payloads with greater system access. The severity score of 8.6 (CVSS 3.1) reflects the high impact on confidentiality and availability, though the attack complexity and user interaction requirements are uncertain [1][2][3][4].
Mitigation and
Status
Apple has released patches for all affected operating systems as of December 11, 2024 (iOS 18.2, etc.). Users are strongly advised to update their devices to the latest available version. There is no evidence of active exploitation in the wild, but the vulnerability is rated High and could be leveraged in targeted attacks. No workarounds have been published; the only remediation is installing the security updates [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*range: <18.2
- (no CPE)range: <18.2
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*range: <18.2
- (no CPE)range: <18.2
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*range: <11.2
- (no CPE)range: <11.2
- Range: <15.2
- Range: <14.7.2
- Range: <13.7.2
- Range: <18.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- support.apple.com/en-us/121837nvdVendor Advisory
- support.apple.com/en-us/121839nvdVendor Advisory
- support.apple.com/en-us/121840nvdVendor Advisory
- support.apple.com/en-us/121842nvdVendor Advisory
- support.apple.com/en-us/121843nvdVendor Advisory
- support.apple.com/en-us/121844nvdVendor Advisory
- seclists.org/fulldisclosure/2024/Dec/11nvd
- seclists.org/fulldisclosure/2024/Dec/5nvd
- seclists.org/fulldisclosure/2024/Dec/7nvd
- seclists.org/fulldisclosure/2024/Dec/9nvd
News mentions
0No linked articles in our index yet.