CVE-2024-44246 is a privacy vulnerability discovered in Apple Safari browsers on devices with Private Relay enabled. Private Relay is designed to mask users' originating IP addresses by routing traffic through Apple-operated proxy servers, enhancing user privacy and preventing websites from tracking real IP addresses. However, this vulnerability causes Safari to leak the user's true IP address to websites when the user adds those websites to the Safari Reading List feature. This occurs because the requests generated during the addition to the Reading List are not properly routed through the Private Relay infrastructure, exposing the user's IP address. The flaw affects Safari versions prior to 18.2 on iOS 18.2, iPadOS 18.2, iPadOS 17.7.3, and macOS Sequoia 15.2. The vulnerability has a CVSS v3.1 base score of 4.3 (medium severity), reflecting that it is remotely exploitable over the network without privileges but requires user interaction. The impact is limited to confidentiality as the IP address is leaked, but there is no impact on data integrity or system availability. Apple fixed the issue by improving the routing logic for Safari-originated requests to ensure they pass through Private Relay correctly. There are no known exploits in the wild at the time of publication. The vulnerability is categorized under CWE-125 (Out-of-bounds Read), indicating a flaw in how data is handled internally during the Reading List addition process.

The primary impact of CVE-2024-44246 is the compromise of user privacy through the leakage of the originating IP address despite Private Relay being enabled. This undermines the core privacy feature of Private Relay, potentially allowing websites to track users or infer their approximate geographic location. For organizations, this could lead to exposure of sensitive user or employee browsing habits and locations, especially in privacy-sensitive sectors such as journalism, activism, or corporate research. While the vulnerability does not allow remote code execution or system compromise, the IP address leakage could facilitate targeted tracking, profiling, or correlation attacks. The scope of affected systems includes all Apple devices running vulnerable Safari versions with Private Relay enabled, which could be widespread given Apple's large market share in mobile and desktop platforms. The requirement for user interaction (adding a site to the Reading List) limits automated exploitation but does not eliminate risk, as users may add sites unknowingly. No integrity or availability impacts reduce the risk of system disruption, but confidentiality loss remains significant for privacy-conscious users and organizations.

To mitigate CVE-2024-44246, affected users and organizations should promptly update Safari and their operating systems to versions 18.2 or later on iOS, iPadOS, and macOS Sequoia 15.2 or later, where the issue is fixed. Until updates are applied, users should avoid adding websites to the Safari Reading List while Private Relay is enabled, especially for untrusted or sensitive sites. Organizations can enforce update policies via mobile device management (MDM) solutions to ensure timely patch deployment. Additionally, monitoring network traffic for anomalous direct IP leaks from Safari clients may help detect exploitation attempts. Security teams should educate users about the privacy implications of this vulnerability and encourage cautious use of the Reading List feature. Finally, reviewing and auditing privacy configurations and browser settings can help reduce exposure to similar leaks.