CVE-2024-44236: 
macOS vulnerability analysis and mitigation

An out-of-bounds access vulnerability (CVE-2024-44236) was discovered in Apple macOS that affects the ICC profile parsing functionality. The vulnerability was discovered by Hossein Lotfi of Trend Micro Zero Day Initiative and was fixed in macOS Ventura 13.7.1 and macOS Sonoma 14.7.1, released on October 28, 2024 (Apple Support, ZDI Advisory).

The vulnerability exists within the parsing of ICC profiles and results from the lack of proper validation of user-supplied data, which can lead to a write past the end of an allocated buffer. The issue has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability has been classified under CWE-125 (Out-of-bounds Read) by NIST and CWE-787 (Out-of-bounds Write) by CISA-ADP (ZDI Advisory, NVD).

Processing a maliciously crafted file may lead to unexpected app termination. An attacker can leverage this vulnerability to execute code in the context of the current process, potentially leading to arbitrary code execution on affected installations of Apple macOS (Apple Support, ZDI Advisory).

Apple has addressed this vulnerability by improving bounds checking in macOS Ventura 13.7.1 and macOS Sonoma 14.7.1. Users are advised to update to these versions or later to protect against this vulnerability (Apple Support).