CVE-2024-40790 is a vulnerability identified in Apple visionOS that allows an application to potentially read sensitive data directly from the GPU memory. The root cause lies in inadequate handling of GPU memory caches, which can lead to residual sensitive information being accessible to unauthorized apps. This vulnerability does not require user interaction but does require the app to have limited privileges on the device, indicating that the attacker must have some level of local access or app installation capability. The flaw primarily affects early versions of visionOS (version 0), and Apple addressed it in visionOS 2 by improving cache management to prevent unauthorized data exposure. The CVSS v3.1 score of 5.5 reflects a medium severity, with high confidentiality impact but no impact on integrity or availability. The attack vector is local (AV:L), with low attack complexity (AC:L), and privileges required (PR:L). No known exploits have been reported in the wild, suggesting limited current exploitation. This vulnerability highlights the risks of GPU memory data leakage in emerging AR/VR operating systems like visionOS, where sensitive visual and computational data may reside in GPU buffers.

The primary impact of CVE-2024-40790 is the unauthorized disclosure of sensitive data stored in GPU memory on devices running vulnerable versions of Apple visionOS. This could include confidential user information, cryptographic material, or other sensitive visual data processed by the GPU. While the vulnerability does not affect data integrity or system availability, the confidentiality breach could lead to privacy violations, intellectual property theft, or leakage of sensitive application data. Since exploitation requires local app installation with limited privileges, the risk is mainly to users who install untrusted or malicious apps. Organizations deploying visionOS devices in sensitive environments could face data leakage risks if devices are compromised by malicious insiders or attackers who gain local access. The absence of known exploits and the medium severity rating indicate a moderate but non-trivial risk, especially as visionOS adoption grows.

To mitigate CVE-2024-40790, organizations and users should promptly update all Apple visionOS devices to version 2 or later, where the vulnerability is fixed through improved GPU cache handling. Restrict app installation to trusted sources only, leveraging Apple’s app review and notarization processes to reduce the risk of malicious apps gaining local access. Employ strict device access controls and endpoint security measures to prevent unauthorized local access or app sideloading. Monitor installed applications for suspicious behavior and audit GPU memory access patterns if possible. For organizations, consider isolating visionOS devices from sensitive networks until patched. Developers should follow best practices for handling GPU memory and caching to avoid similar vulnerabilities. Finally, maintain awareness of updates from Apple regarding visionOS security advisories.