About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
visionOS 1.1
Released March 7, 2024
Accessibility
Available for: Apple Vision Pro
Impact: An app may be able to spoof system notifications and UI
Description: This issue was addressed with additional entitlement checks.
CVE-2024-23262: Guilherme Rambo of Best Buddy Apps (rambo.codes)
ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may result in disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative
ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2024-23258: Zhenjiang Zhao of pangu team and Qianxin
ImageIO
Available for: Apple Vision Pro
Impact: Processing an image may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2024-23286: Dohyun Lee (@l33d0hyun)
Kernel
Available for: Apple Vision Pro
Impact: An app may be able to access user-sensitive data
Description: A race condition was addressed with additional validation.
CVE-2024-23235
Kernel
Available for: Apple Vision Pro
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2024-23265: Xinru Chi of Pangu Lab
Kernel
Available for: Apple Vision Pro
Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved validation.
CVE-2024-23225
Metal
Available for: Apple Vision Pro
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative
Persona
Available for: Apple Vision Pro
Impact: An unauthenticated user may be able to use an unprotected Persona
Description: A permissions issue was addressed to help ensure Personas are always protected
CVE-2024-23295: Patrick Reardon
RTKit
Available for: Apple Vision Pro
Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.
Description: A memory corruption issue was addressed with improved validation.
CVE-2024-23296
Safari
Available for: Apple Vision Pro
Impact: An app may be able to fingerprint the user
Description: The issue was addressed with improved handling of caches.
CVE-2024-23220
UIKit
Available for: Apple Vision Pro
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed by removing the vulnerable code.
CVE-2024-23246: Deutsche Telekom Security GmbH sponsored by Bundesamt für Sicherheit in der Informationstechnik
WebKit
Available for: Apple Vision Pro
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 259694
CVE-2024-23226: Pwn2car
WebKit
Available for: Apple Vision Pro
Impact: A malicious website may exfiltrate audio data cross-origin
Description: The issue was addressed with improved UI handling.
WebKit Bugzilla: 263795
CVE-2024-23254: James Lee (@Windowsrcer)
WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A logic issue was addressed with improved validation.
WebKit Bugzilla: 264811
CVE-2024-23263: Johan Carlsson (joaxcar)
WebKit
Available for: Apple Vision Pro
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 267241
CVE-2024-23284: Georg Felber and Marco Squarcina
Additional recognition
Kernel
We would like to acknowledge Tarek Joumaa (@tjkr0wn) and 이준성(Junsung Lee) for their assistance.
Model I/O
We would like to acknowledge Junsung Lee for their assistance.
Power Management
We would like to acknowledge Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. for their assistance.
Safari
We would like to acknowledge Abhinav Saraswat, Matthew C, and 이동하 ( Lee Dong Ha of ZeroPointer Lab ) for their assistance.
WebKit
We would like to acknowledge Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese of TU Wien for their assistance.