CVE-2025-24120
Published: 27 January 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-24120 is a vulnerability stemming from inadequate management of object lifetimes, classified under CWE-772 (Missing Release of Resource after Effective Lifetime). It affects macOS systems, specifically versions prior to the patched releases of macOS Sequoia 15.3, macOS Sonoma 14.7.3, and macOS Ventura 13.7.3. The issue was publicly disclosed on January 27, 2025, and carries a CVSS v3.1 base score of 7.5, reflecting its potential for high-impact denial of service without confidentiality or integrity disruption.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to trigger unexpected application termination, resulting in a denial-of-service condition on the targeted macOS app. The attack does not escalate privileges or compromise data, but its network accessibility and ease of execution make it a notable risk for availability.
Apple's security advisories detail the fix through enhanced object lifetime management and recommend updating to macOS Sequoia 15.3, macOS Sonoma 14.7.3, or macOS Ventura 13.7.3. Additional details are available in the referenced support bulletins at https://support.apple.com/en-us/122068, https://support.apple.com/en-us/122069, and https://support.apple.com/en-us/122070, along with Full Disclosure mailing list entries.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote exploitation of a macOS application flaw to cause unexpected termination, directly mapping to application or system exploitation for endpoint denial of service.