This document describes the security content of visionOS 2.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released September 16, 2024
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted file may lead to heap corruption
Description: The issue was addressed with improved checks.
CVE-2024-44126: Holger Fuhrmannek
Entry added October 28, 2024
Available for: Apple Vision Pro
Impact: A malicious app with root privileges may be able to modify the contents of system files
Description: The issue was addressed with improved checks.
CVE-2024-40825: Pedro Tôrres (@t0rr3sp3dr0)
Available for: Apple Vision Pro
Impact: Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files
Description: A race condition was addressed with improved locking.
CVE-2024-27876: Snoolie Keffaber (@0xilis)
Available for: Apple Vision Pro
Impact: A sandboxed app may be able to access sensitive user data
Description: The issue was addressed with improved checks.
CVE-2024-40855: Csaba Fitzl (@theevilbit) of Kandji
Entry added March 3, 2025
Available for: Apple Vision Pro
Impact: A local user may be able to leak sensitive user information
Description: The issue was addressed with improved checks.
CVE-2024-54469: Csaba Fitzl (@theevilbit) of Kandji
Entry added March 3, 2025
Available for: Apple Vision Pro
Impact: An app may be able to access user-sensitive data
Description: A file access issue was addressed with improved input validation.
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: An out-of-bounds read issue was addressed with improved input validation.
CVE-2024-27880: Junsung Lee
Available for: Apple Vision Pro
Impact: Processing an image may lead to a denial-of-service
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero Day Initiative and an anonymous researcher
Available for: Apple Vision Pro
Impact: An app may be able to cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2024-44169: Antonio Zekić
Available for: Apple Vision Pro
Impact: Network traffic may leak outside a VPN tunnel
Description: A logic issue was addressed with improved checks.
CVE-2024-44165: Andrew Lytvynov
Available for: Apple Vision Pro
Impact: An app may gain unauthorized access to Bluetooth
Description: This issue was addressed through improved state management.
CVE-2024-44191: Alexander Heinrich, SEEMOO, DistriNet, KU Leuven (@vanhoefm), TU Darmstadt (@Sn0wfreeze) and Mathy Vanhoef
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: An integer overflow was addressed through improved input validation.
CVE-2024-44198: OSS-Fuzz, Ned Williamson of Google Project Zero
Available for: Apple Vision Pro
Impact: An app may be able to cause a denial-of-service
Description: A logic error was addressed with improved error handling.
CVE-2024-44183: Olivier Levon
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted image may lead to a denial-of-service
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2023-5841
Available for: Apple Vision Pro
Impact: An app may be able to overwrite arbitrary files
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-44167: ajajfxhj
Available for: Apple Vision Pro
Impact: An app may be able to read sensitive data from the GPU memory
Description: The issue was addressed with improved handling of caches.
CVE-2024-40790: Max Thomas
Available for: Apple Vision Pro
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: A buffer overflow was addressed with improved size validation.
CVE-2024-44144: 냥냥
Entry added October 28, 2024
Available for: Apple Vision Pro
Impact: A malicious website may exfiltrate data cross-origin
Description: A cookie management issue was addressed with improved state management.
WebKit Bugzilla: 287874
CVE-2024-54467: Narendra Bhati, Manager of Cyber Security At Suma Soft Pvt. Ltd, Pune (India)
Entry added March 3, 2025
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 268770
CVE-2024-44192: Tashita Software Security
Entry added March 3, 2025
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 268724
CVE-2024-40857: Ron Masas
Available for: Apple Vision Pro
Impact: A malicious website may exfiltrate data cross-origin
Description: A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins.
WebKit Bugzilla: 279452
CVE-2024-44187: Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India)
We would like to acknowledge Braxton Anderson for their assistance.
We would like to acknowledge Kirin (@Pwnrin) for their assistance.
We would like to acknowledge Abhay Kailasia (@abhay_kailasia) of Lakshmi Narain College of Technology Bhopal, Dev dutta (manas.dutta.75), and Prateek Pawar (vakil sahab) for their assistance.
Entry added March 3, 2025
We would like to acknowledge Richard Hyunho Im (@r1cheeta) for their assistance.
We would like to acknowledge Junior Vergara for their assistance.
Entry added March 3, 2025
We would like to acknowledge Vaibhav Prajapati for their assistance.
We would like to acknowledge Avi Lumelsky of Oligo Security, Uri Katz of Oligo Security, Eli Grey (eligrey.com), Johan Carlsson (joaxcar) for their assistance.
Entry updated October 28, 2024