CVE-2024-54486: 
macOS vulnerability analysis and mitigation

CVE-2024-54486 is a security vulnerability affecting Apple's FontParser component that was disclosed on December 11, 2024. The vulnerability impacts multiple Apple operating systems including iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, and macOS Sonoma 14.7.2 (Apple Support).

The vulnerability exists in the FontParser component where processing a maliciously crafted font may result in the disclosure of process memory. The issue was addressed by Apple with improved checks in the affected systems. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows an attacker to potentially access and disclose process memory through maliciously crafted fonts. This could lead to exposure of sensitive information that should normally be protected within the system's memory space (Apple Support, Rapid7).

Apple has released security updates to address this vulnerability across their affected operating systems. Users should update to iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, or macOS Sonoma 14.7.2 depending on their device (Apple Support).

The vulnerability was discovered and reported by Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative, demonstrating ongoing security research collaboration between security researchers and Apple (Apple Support).