CVE-2024-44246 is a privacy-related vulnerability in Apple’s macOS and related operating systems that use the Safari browser with Private Relay enabled. Private Relay is designed to mask the user’s originating IP address by routing traffic through Apple-operated proxy servers, thereby enhancing user privacy and preventing websites from tracking the user’s real IP. However, this vulnerability arises when a user adds a website to the Safari Reading List feature. Due to improper routing of these Safari-originated requests, the originating IP address can be leaked directly to the website being added, circumventing the Private Relay protections. This issue is classified under CWE-125 (Out-of-bounds Read), indicating a flaw in how data is accessed or processed internally. The vulnerability affects multiple Apple platforms including macOS Sequoia prior to 15.2, iOS 18.2, iPadOS 18.2, Safari 18.2, and iPadOS 17.7.3. Apple has resolved the issue by improving the routing logic for Safari requests in these updated versions. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires no privileges, but does require user interaction (adding a site to Reading List). The impact is limited to confidentiality as the IP address is exposed, but there is no impact on integrity or availability. No known exploits have been reported in the wild, but the vulnerability poses a privacy risk for users relying on Private Relay to anonymize their IP addresses.

For European organizations, the primary impact is the potential exposure of user IP addresses despite the use of Apple’s Private Relay privacy feature. This could lead to reduced anonymity for employees or users accessing sensitive or regulated content, potentially enabling tracking or profiling by malicious websites or third parties. While the vulnerability does not directly compromise system integrity or availability, the confidentiality breach could have compliance implications under GDPR and other privacy regulations if IP addresses are considered personal data. Organizations relying on Apple devices for secure and private browsing may see a degradation in privacy guarantees, which could affect sectors with high privacy requirements such as finance, healthcare, and government. The risk is heightened for users who frequently add websites to their Safari Reading List, as this action triggers the IP leak. However, the absence of known active exploits reduces immediate risk, though patching remains critical to prevent future abuse.

European organizations should ensure that all Apple devices are updated to macOS Sequoia 15.2, iOS 18.2, iPadOS 18.2, Safari 18.2, or iPadOS 17.7.3 or later to receive the fix for this vulnerability. IT administrators should audit device configurations to verify that Private Relay is enabled only where necessary and educate users about the risk associated with adding websites to the Safari Reading List until patches are applied. Network monitoring can be enhanced to detect unusual traffic patterns that might indicate attempts to exploit this vulnerability. For highly sensitive environments, consider temporarily disabling Private Relay or restricting Safari Reading List usage until devices are patched. Additionally, organizations should review privacy policies and ensure that data protection impact assessments reflect this vulnerability’s potential to expose personal IP data. Employing endpoint management solutions to enforce timely patch deployment and user awareness training will further reduce risk.