CVE-2024-40790 is a vulnerability discovered in Apple visionOS, the operating system designed for Apple's spatial computing platform. The flaw arises from improper handling of GPU memory caches, allowing an app with limited privileges (local access and low privilege) to read sensitive data residing in GPU memory. This data could include sensitive graphical or computational information processed by other apps or system components. The vulnerability does not require user interaction but does require the app to have some level of privilege on the device. The issue affects unspecified versions of visionOS prior to version 2, where Apple implemented improved cache handling to prevent unauthorized memory reads. The vulnerability impacts confidentiality by potentially exposing sensitive data but does not affect integrity or availability of the system. The CVSS 3.1 base score is 5.5, reflecting a medium severity level, with attack vector local, low attack complexity, low privileges required, no user interaction, and unchanged scope. No known exploits have been reported in the wild, indicating limited active exploitation at this time. However, the nature of the vulnerability means that any malicious app installed on a visionOS device could leverage this flaw to access sensitive GPU memory data, posing a privacy and data security risk.

For European organizations, the primary impact of CVE-2024-40790 is the potential leakage of sensitive data processed or stored in GPU memory on Apple visionOS devices. This could include confidential graphical data, proprietary computations, or other sensitive information handled by applications running on these devices. Organizations using visionOS for development, design, or operational purposes may face risks of intellectual property exposure or privacy breaches if malicious apps exploit this vulnerability. Although the attack requires local access and some privileges, insider threats or compromised devices could lead to data leakage. The lack of impact on system integrity or availability limits the threat to confidentiality only. Given the growing adoption of Apple spatial computing devices in sectors such as design, healthcare, and education, the vulnerability could affect sensitive workflows. The absence of known exploits reduces immediate risk but does not eliminate the need for timely patching. Failure to address this vulnerability could undermine trust in visionOS devices and expose organizations to compliance and regulatory risks related to data protection.

To mitigate CVE-2024-40790, organizations should promptly update all Apple visionOS devices to version 2 or later, where the vulnerability is fixed through improved GPU cache handling. Restrict installation of apps to trusted sources, such as the official Apple App Store, to reduce the risk of malicious apps exploiting this flaw. Implement strict device access controls and privilege management to limit local app permissions and reduce the attack surface. Monitor devices for unusual app behavior or unauthorized access attempts. For organizations deploying visionOS devices in sensitive environments, consider additional endpoint security solutions that can detect anomalous GPU memory access patterns. Educate users about the risks of installing untrusted apps and enforce policies that prevent sideloading or unauthorized app installations. Regularly review and audit installed applications and device configurations to ensure compliance with security policies. Finally, maintain awareness of updates from Apple and apply security patches promptly to minimize exposure.