CVE-2024-40774: An app may be able to bypass Privacy preferences in Apple iOS and iPadOS
CVE-2024-40774 is a vulnerability in Apple iOS, iPadOS, and macOS Ventura where an app may bypass Privacy preferences due to a downgrade issue. This issue was addressed by Apple through additional code-signing restrictions and improved state management. The vulnerability affects devices from iPhone XS and later, various iPad Pro models, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. The fix is included in iOS 17. 6, iPadOS 17. 6, and macOS Ventura 13. 6. 8, released on July 29, 2024. The CVSS score is 5. 9, indicating a medium severity level.
AI Analysis
Technical Summary
CVE-2024-40774 is a downgrade vulnerability affecting AppleMobileFileIntegrity on Apple platforms including iOS, iPadOS, and macOS Ventura. It allows an app to bypass Privacy preferences by exploiting insufficient code-signing restrictions. Apple addressed this issue by implementing additional code-signing restrictions and improved state management to prevent such bypasses. The vulnerability is fixed in iOS 17.6, iPadOS 17.6, and macOS Ventura 13.6.8. The affected devices include iPhone XS and later, multiple iPad Pro models, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. The CVSS vector indicates the attack requires local access with low complexity, limited privileges, and user interaction, but can result in high confidentiality impact without affecting integrity or availability.
Potential Impact
An app exploiting this vulnerability may bypass user-configured Privacy preferences, potentially accessing sensitive user data without proper authorization. The impact is classified as high confidentiality impact, meaning sensitive information could be exposed. However, the vulnerability requires local access with user interaction and limited privileges, reducing the likelihood of remote exploitation. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Apple has released official fixes for this vulnerability in iOS 17.6, iPadOS 17.6, and macOS Ventura 13.6.8. Users and administrators should apply these updates promptly to mitigate the risk. Since the vendor advisory confirms the issue is fixed, no additional mitigation steps are required beyond updating to the patched versions.
CVE-2024-40774: An app may be able to bypass Privacy preferences in Apple iOS and iPadOS
Description
CVE-2024-40774 is a vulnerability in Apple iOS, iPadOS, and macOS Ventura where an app may bypass Privacy preferences due to a downgrade issue. This issue was addressed by Apple through additional code-signing restrictions and improved state management. The vulnerability affects devices from iPhone XS and later, various iPad Pro models, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. The fix is included in iOS 17. 6, iPadOS 17. 6, and macOS Ventura 13. 6. 8, released on July 29, 2024. The CVSS score is 5. 9, indicating a medium severity level.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-40774 is a downgrade vulnerability affecting AppleMobileFileIntegrity on Apple platforms including iOS, iPadOS, and macOS Ventura. It allows an app to bypass Privacy preferences by exploiting insufficient code-signing restrictions. Apple addressed this issue by implementing additional code-signing restrictions and improved state management to prevent such bypasses. The vulnerability is fixed in iOS 17.6, iPadOS 17.6, and macOS Ventura 13.6.8. The affected devices include iPhone XS and later, multiple iPad Pro models, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. The CVSS vector indicates the attack requires local access with low complexity, limited privileges, and user interaction, but can result in high confidentiality impact without affecting integrity or availability.
Potential Impact
An app exploiting this vulnerability may bypass user-configured Privacy preferences, potentially accessing sensitive user data without proper authorization. The impact is classified as high confidentiality impact, meaning sensitive information could be exposed. However, the vulnerability requires local access with user interaction and limited privileges, reducing the likelihood of remote exploitation. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Apple has released official fixes for this vulnerability in iOS 17.6, iPadOS 17.6, and macOS Ventura 13.6.8. Users and administrators should apply these updates promptly to mitigate the risk. Since the vendor advisory confirms the issue is fixed, no additional mitigation steps are required beyond updating to the patched versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apple
- Date Reserved
- 2024-07-10T17:11:04.687Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690a3b52ff58c9332ff0741f
Added to database: 11/4/2025, 5:43:46 PM
Last enriched: 4/9/2026, 11:22:56 PM
Last updated: 5/9/2026, 8:28:35 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.