Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-54499

CVE-2024-54499: Apple iPadOS Use-After-Free Vulnerability

CVE-2024-54499 is a use-after-free vulnerability in Apple iPadOS that allows attackers to execute arbitrary code via malicious images. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2024-54499 Overview

CVE-2024-54499 is a use-after-free vulnerability [CWE-416] affecting Apple's image processing components across multiple operating systems. Processing a maliciously crafted image can trigger arbitrary code execution on affected devices. Apple addressed the issue with improved memory management in iOS 18.2, iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, and watchOS 11.2.

The vulnerability requires user interaction, typically opening or previewing a malicious image. Successful exploitation results in complete compromise of confidentiality, integrity, and availability on the targeted device.

Critical Impact

Remote attackers can achieve arbitrary code execution by delivering a crafted image to a victim across Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS platforms.

Affected Products

  • Apple iOS and iPadOS before 18.2
  • Apple macOS Sequoia before 15.2
  • Apple tvOS before 18.2, visionOS before 2.2, watchOS before 11.2

Discovery Timeline

  • 2025-01-27 - CVE-2024-54499 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2024-54499

Vulnerability Analysis

The vulnerability resides in Apple's image processing code path used across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. A use-after-free condition occurs when the affected component continues to reference memory after it has been freed during image parsing. An attacker who controls the structure of an image file can shape the freed allocation and reclaim it with attacker-controlled data.

When the dangling pointer is dereferenced, the corrupted object enables hijacking of control flow. This results in arbitrary code execution within the context of the process handling the image. Because image rendering is frequently invoked by mail clients, messaging apps, browsers, and previewers, the attack surface spans many user-facing workflows.

Apple resolved the defect by tightening object lifetime management. The fix ensures references are invalidated before memory is released, eliminating the dangling pointer condition.

Root Cause

The root cause is improper memory management [CWE-416] in an image decoding routine. Object lifetimes were not synchronized with reference counts or pointer ownership, allowing a freed allocation to remain accessible.

Attack Vector

Exploitation requires delivering a crafted image to the target and inducing the victim to open or preview it. Common delivery channels include email attachments, instant messages, web pages, and AirDrop transfers. No prior authentication is needed, and the network attack vector applies because the image can originate from any remote source.

No public proof-of-concept exploit has been observed for CVE-2024-54499, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-54499

Indicators of Compromise

  • Unexpected crashes or restarts in image-handling processes such as Preview, Messages, Mail, or MobileSafari shortly after receiving image content.
  • Crash logs referencing memory access violations inside image decoding frameworks (ImageIO, CoreGraphics).
  • Anomalous child processes spawned by applications that ordinarily only render images.

Detection Strategies

  • Correlate endpoint telemetry for image-rendering process crashes with inbound message or email events to surface suspicious image delivery.
  • Inspect macOS unified logs and iOS sysdiagnose archives for EXC_BAD_ACCESS exceptions originating in image parsing libraries.
  • Hunt for outbound network connections initiated by image-handling processes immediately after a crash event.

Monitoring Recommendations

  • Track OS build versions across the fleet to identify devices still running pre-18.2 / 15.2 / 11.2 / 2.2 releases.
  • Alert on delivery of uncommon or malformed image MIME types through mail and messaging gateways.
  • Centralize crash reports from managed Apple devices and review repeated faults in image decoders.

How to Mitigate CVE-2024-54499

Immediate Actions Required

  • Update affected devices to iOS 18.2, iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, or watchOS 11.2 or later.
  • Prioritize patching for users who routinely receive images from untrusted external senders.
  • Audit Mobile Device Management (MDM) compliance reports to confirm enforcement of the minimum required OS version.

Patch Information

Apple released fixes in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, and watchOS 11.2. Refer to the vendor advisories: Apple Support Document #121837, Apple Support Document #121839, Apple Support Document #121843, Apple Support Document #121844, and Apple Support Document #121845.

Workarounds

  • Disable automatic image previews in mail clients and messaging applications until devices are patched.
  • Restrict AirDrop to Contacts Only or disable it to limit unsolicited image delivery.
  • Train users to avoid opening images from unknown senders and report suspicious attachments.
bash
# Verify macOS build and trigger software update
sw_vers -productVersion
softwareupdate --list
sudo softwareupdate -i -a --restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne