CVE-2024-54551 Overview
CVE-2024-54551 is a memory handling vulnerability affecting Apple's WebKit browser engine across multiple operating systems and Safari. Processing maliciously crafted web content can trigger a denial-of-service condition in the browser engine. The flaw is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Apple addressed the issue with improved memory handling in Safari 17.6, iOS 17.6, iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, and watchOS 10.6. The vulnerability is exploitable remotely over the network, requires no privileges, and requires no user interaction beyond visiting a malicious page.
Critical Impact
Remote attackers can crash Safari and WebKit-based applications on unpatched Apple devices by serving crafted web content, disrupting availability without authentication or user interaction.
Affected Products
- Apple Safari (prior to 17.6)
- Apple iOS and iPadOS (prior to 17.6), macOS Sonoma (prior to 14.6)
- Apple tvOS 17.6, visionOS 1.3, and watchOS 10.6 (prior versions)
Discovery Timeline
- 2025-03-21 - CVE-2024-54551 published to the National Vulnerability Database (NVD)
- 2025-06 - Referenced in Debian LTS Announcement June 2025
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2024-54551
Vulnerability Analysis
The vulnerability resides in Apple's WebKit browser engine, which powers Safari and renders web content on Apple operating systems. According to Apple's advisory, processing crafted web content can lead to a denial-of-service. The defect is categorized as a memory buffer boundary issue [CWE-119], indicating that WebKit performs operations on memory without proper bounds enforcement. Apple resolved the flaw through improved memory handling routines in the affected WebKit components.
The vulnerability affects only the availability of the targeted process. Confidentiality and integrity remain intact, meaning the issue does not lead to code execution or data exposure based on available information. However, the impact extends beyond Safari since WebKit renders content in any application embedding the engine, including Mail previews, in-app browsers, and Quick Look.
Root Cause
The root cause is improper memory handling within WebKit when parsing or rendering specific web content structures. Apple's terse advisory does not disclose the exact subsystem, but the [CWE-119] classification points to memory buffer boundary issues. Such conditions typically arise from incorrect length calculations, missing bounds checks, or improper allocation sizing during content processing.
Attack Vector
Exploitation requires the victim to load attacker-controlled web content in a WebKit-based context. An attacker hosts a malicious page or injects content into a compromised site. When WebKit processes the content, the memory handling defect triggers a crash of the rendering process. The Debian LTS advisory references this CVE in the context of distribution-level WebKit packages, confirming the issue also reaches WebKitGTK consumers.
No verified public proof-of-concept code is available for this vulnerability. Refer to Apple's advisories for affected component details: Apple Support Document #120909, #120911, #120913, #120914, #120915, and #120916.
Detection Methods for CVE-2024-54551
Indicators of Compromise
- Repeated, unexpected crashes of Safari or WebKit-based applications when loading specific URLs or web content
- Crash reports in ~/Library/Logs/DiagnosticReports/ referencing WebContent, com.apple.WebKit.WebContent, or WebKit processes
- Browser tab reload loops or rendering process termination correlated to navigation to untrusted domains
Detection Strategies
- Inventory Apple endpoints and identify devices running Safari, iOS, iPadOS, macOS, tvOS, visionOS, or watchOS versions below the fixed releases
- Correlate proxy and DNS logs with browser crash telemetry to identify domains triggering WebKit failures
- Monitor Linux endpoints for WebKitGTK package versions below those addressed in the Debian LTS Announcement June 2025
Monitoring Recommendations
- Forward macOS unified logs and crash reports to a centralized log platform for anomaly detection on WebKit process exits
- Track Apple software version compliance using mobile device management (MDM) reporting
- Alert on outbound connections from end-user devices to newly registered or low-reputation domains preceding WebKit crashes
How to Mitigate CVE-2024-54551
Immediate Actions Required
- Update Safari to 17.6 and upgrade affected operating systems to iOS 17.6, iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, or watchOS 10.6
- Deploy Apple security updates through MDM to enforce minimum OS versions across managed fleets
- For Debian and downstream Linux systems, apply the WebKitGTK packages referenced in the Debian LTS advisory
Patch Information
Apple released fixes in Safari 17.6, iOS 17.6, iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, and watchOS 10.6. Patch details are documented in Apple Support Document #120909, #120911, #120913, #120914, #120915, and #120916. The fix consists of improved memory handling in the affected WebKit code paths.
Workarounds
- Restrict browsing to trusted sites until patches are deployed, and enable web content filtering at the network gateway
- Use enterprise content filtering to block newly registered or untrusted domains likely to host crafted exploit pages
- Where Safari cannot be updated immediately, advise users to avoid clicking unsolicited links in email and messaging applications
# Verify installed Safari and macOS versions on managed endpoints
sw_vers -productVersion
mdls -name kMDItemVersion /Applications/Safari.app
# Force MDM-managed software update on macOS
sudo softwareupdate -ia --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
