CVE-2024-44142

High

Published: 30 January 2025

Published

30 January 2025

Modified

18 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The issue was addressed with improved bounds checks. This issue is fixed in GarageBand 10.4.12. Processing a maliciously crafted image may lead to arbitrary code execution.

Security Summary

CVE-2024-44142 is a vulnerability addressed through improved bounds checks in GarageBand. It affects GarageBand versions prior to 10.4.12, where processing a maliciously crafted image may lead to arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A local attacker with no privileges can exploit it via low-complexity means that require user interaction, such as convincing a user to process the malicious image in GarageBand, potentially achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability.

Apple's advisory confirms the issue is fixed in GarageBand 10.4.12. Additional details are available in the Apple support page at https://support.apple.com/en-us/121866 and the Full Disclosure mailing list post at http://seclists.org/fulldisclosure/2025/Feb/2.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

apple

garageband

≤ 10.4.12

References

https://support.apple.com/en-us/121866
Release Notes, Vendor Advisory · product-security@apple.com
http://seclists.org/fulldisclosure/2025/Feb/2
Release Notes, Vendor Advisory · af854a3a-2127-422b-91ae-364da2661108