CVE-2024-27856

CVE-2024-27856 is a code injection vulnerability (CWE-94) affecting Apple's Safari browser and operating systems including iOS prior to 16.7.8 and 17.5, iPadOS prior to 16.7.8 and 17.5, macOS Sonoma prior to 14.5, tvOS prior to 17.5, visionOS prior to 1.2, and watchOS prior to 10.5. The issue occurs during file processing, potentially leading to unexpected application termination or arbitrary code execution, and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker with local access can exploit this vulnerability with low complexity and no required privileges, though user interaction is necessary, such as tricking a user into opening a malicious file. Successful exploitation enables high-impact outcomes, including arbitrary code execution, compromise of confidentiality, integrity, and availability on the targeted device.

Apple advisories indicate the vulnerability was addressed through improved checks in Safari 17.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2, and watchOS 10.5. Mitigation requires updating to these versions or later, with further details in support documents such as https://support.apple.com/en-us/120896, https://support.apple.com/en-us/120898, https://support.apple.com/en-us/120901, https://support.apple.com/en-us/120902, and https://support.apple.com/en-us/120903.