CVE-2024-40796 is a privacy vulnerability identified in Apple’s iOS and iPadOS platforms, including macOS versions Sonoma, Monterey, and Ventura. The flaw arises from inadequate redaction of private data in system log entries when users employ private browsing mode. Private browsing is intended to prevent the storage or exposure of browsing history, cookies, and other session data. However, due to this vulnerability, some browsing history information may be inadvertently recorded in logs accessible on the device, potentially exposing user activity to local attackers or applications with access to logs. The vulnerability is classified under CWE-359 (Exposure of Private Information Through Log Files). It has a CVSS v3.1 base score of 5.3, indicating a medium severity level. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) shows that the vulnerability can be exploited remotely over the network without privileges or user interaction, impacting confidentiality only. Apple has released patches in iOS 16.7.9, iPadOS 16.7.9, macOS Sonoma 14.6, Monterey 12.7.6, and Ventura 13.6.8 to improve private data redaction in logs and prevent leakage. There are no known exploits in the wild at this time. The vulnerability primarily affects users relying on private browsing for privacy, potentially exposing sensitive browsing data to unauthorized local access or forensic analysis.

For European organizations, the leakage of browsing history in private mode can undermine privacy assurances critical for compliance with regulations such as GDPR, especially for sectors handling sensitive personal data (e.g., healthcare, finance, legal). Exposure of browsing history could lead to unauthorized disclosure of user behavior, potentially revealing confidential research, client interactions, or internal investigations. This risk is heightened in environments where devices are shared, managed by IT teams, or subject to forensic analysis. While the vulnerability does not allow remote compromise or system control, the confidentiality impact could damage organizational reputation and trust. Additionally, organizations relying on private browsing as a privacy control may need to reassess their security posture until patches are applied. The absence of known exploits reduces immediate risk but does not eliminate the potential for future abuse.

European organizations should prioritize deploying the Apple security updates that address this vulnerability: iOS 16.7.9, iPadOS 16.7.9, macOS Sonoma 14.6, Monterey 12.7.6, and Ventura 13.6.8. IT administrators should audit device inventories to identify affected Apple devices and enforce patch management policies to ensure timely updates. User education is critical to communicate that private browsing is not a foolproof privacy measure and to avoid reliance on it for sensitive activities until patched. Organizations should review logging and monitoring configurations to restrict access to system logs that may contain residual browsing data. For high-security environments, consider additional endpoint protections or device usage policies limiting private browsing or requiring encrypted containers for sensitive sessions. Incident response teams should be aware of this vulnerability when investigating potential data leakage incidents. Finally, maintain vigilance for any emerging exploit reports or updates from Apple.