CISA adds Apple iOS and iPadOS memory corruption bugs to its Known Exploited Vulnerabilities Catalog

Pierluigi Paganini March 07, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple iOS and iPadOS memory corruption vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the following vulnerabilities to its :

  •  Apple iOS and iPadOS Memory Corruption Vulnerability
  •  Apple iOS and iPadOS Memory Corruption Vulnerability

This week, Apple released emergency security updates to address two iOS zero-day vulnerabilities, respectively tracked as CVE-2024-23225 and CVE-2024-23296, that were exploited in attacks against iPhone devices.

CVE-2024-23225 is a Kernel memory corruption flaw, the company addressed it with improved validation.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.” .

CVE-2024-23296 is a RTKit memory corruption flaw, the company addressed it with improved validation.

“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.” continues the advisory.

Apple confirmed both vulnerabilities are actively exploited.

“Apple is aware of a report that this issue may have been exploited,” states the company.

Impacted devices are iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

The IT giant addressed the two vulnerabilities with the release of , , , and .

iPhone vulnerabilities are usually exploited by commercial spyware vendors or nation-state actors, in many cases, the targets were dissidents and journalists.

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 27, 2024.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – ransomware, CISA



you might also like

leave a comment