CVE-2024-54543 Overview
CVE-2024-54543 is a memory corruption vulnerability affecting Apple Safari and multiple Apple operating systems. Processing maliciously crafted web content can trigger an out-of-bounds write condition [CWE-787], leading to memory corruption. Apple addressed the issue with improved memory handling across Safari 18.2, iOS 18.2, iPadOS 18.2, iPadOS 17.7.6, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, and watchOS 11.2.
The flaw is exploitable over the network with low attack complexity and requires user interaction, such as visiting a malicious website. Successful exploitation can result in full compromise of confidentiality, integrity, and availability on the affected device.
Critical Impact
Remote attackers can corrupt memory and potentially achieve arbitrary code execution through crafted web content rendered in WebKit-based browsers and applications.
Affected Products
- Apple Safari (versions prior to 18.2)
- Apple iOS and iPadOS (prior to 18.2; iPadOS prior to 17.7.6)
- Apple macOS Sequoia (prior to 15.2), tvOS (prior to 18.2), visionOS (prior to 2.2), and watchOS (prior to 11.2)
Discovery Timeline
- 2025-01-27 - CVE-2024-54543 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2024-54543
Vulnerability Analysis
The vulnerability resides in the web content processing engine shared across Apple's browser and operating system stack, which is based on WebKit. When the engine parses maliciously crafted HTML, JavaScript, or related web resources, it writes data outside the bounds of an allocated buffer. This out-of-bounds write [CWE-787] corrupts adjacent memory structures.
Memory corruption in a browser rendering engine typically enables an attacker to overwrite function pointers, virtual table entries, or JavaScript object metadata. By controlling the corrupted values, an attacker can pivot toward arbitrary code execution within the sandboxed renderer process.
The vulnerability requires user interaction. A target must navigate to attacker-controlled content or open a crafted document that loads remote resources through a WebKit-based component such as an in-app browser view.
Root Cause
The underlying defect is improper bounds enforcement during memory operations in WebKit. Apple's advisory states the fix addresses the issue "with improved memory handling," which is consistent with adding length checks or correcting size calculations before write operations.
Attack Vector
Exploitation occurs through the network attack surface. An attacker hosts crafted web content on a website, delivers it through an embedded WebView, or sends it via phishing links and HTML email. When the victim's WebKit-based client renders the payload, the out-of-bounds write executes inside the renderer process.
No proof-of-concept exploit code is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details are documented in Apple's advisories. See the Apple Support Article 121837 and the Full Disclosure April 2025 post for vendor and community references.
Detection Methods for CVE-2024-54543
Indicators of Compromise
- Unexpected crashes or signal terminations (SIGSEGV, SIGBUS) in Safari, WebContent, or com.apple.WebKit.WebContent processes recorded in macOS or iOS crash logs.
- Outbound network connections to newly registered or low-reputation domains immediately following a browser session.
- Spawning of unexpected child processes from Safari or WebKit-hosted applications.
Detection Strategies
- Hunt for WebContent crash reports under ~/Library/Logs/DiagnosticReports/ on macOS endpoints and correlate timestamps with browsing activity.
- Monitor EDR telemetry for anomalous process behavior originating from Safari.app, WebKit.framework, or applications embedding WKWebView.
- Inspect HTTP/HTTPS proxy logs for requests to URLs containing unusually large inline scripts or malformed media payloads served before a crash event.
Monitoring Recommendations
- Centralize browser and OS crash telemetry into a SIEM and alert on repeated WebKit renderer faults across multiple users.
- Track Apple software version inventory and flag endpoints running Safari, iOS, iPadOS, macOS, tvOS, visionOS, or watchOS builds below the patched releases.
- Enable DNS and web proxy logging to identify users visiting suspicious domains shortly before client-side instability.
How to Mitigate CVE-2024-54543
Immediate Actions Required
- Update all Apple devices to Safari 18.2, iOS 18.2, iPadOS 18.2 or 17.7.6, macOS Sequoia 15.2, tvOS 18.2, visionOS 2.2, and watchOS 11.2 or later.
- Enforce automatic updates through MDM policies for managed iOS, iPadOS, and macOS fleets.
- Audit third-party applications using WKWebView to confirm they inherit the patched WebKit version.
Patch Information
Apple released the fix in the December 2024 security updates. Refer to the vendor advisories: Apple Support Article 121837, 121839, 121843, 121844, 121845, and 121846. Additional details appear in Apple Support Article 122372.
Workarounds
- Restrict browsing to trusted domains using web filtering or DNS security controls until patches are deployed.
- Disable JavaScript in Safari for high-risk users via configuration profiles where business workflows allow.
- Block known malicious domains and newly registered domains at the network egress to reduce exposure to crafted web content.
# Verify Safari version on macOS
mdls -name kMDItemVersion /Applications/Safari.app
# Verify macOS build
sw_vers
# Trigger software update check on macOS
sudo softwareupdate -l
sudo softwareupdate -ia --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
