CVE-2024-44285

HIGH

iPadOS 18.0 - Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-44285. PoCs published by slds1.

AI-analyzed exploit summary The PoC exploits a race condition in the IOSurfaceRoot IOKit service by spawning two threads that repeatedly call IOConnectCallMethod with a malformed serialized dictionary. This likely triggers a use-after-free or other memory corruption vulnerability in the kernel, leading to local privilege escalation (LPE).

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, tvOS 18.1, visionOS 2.1, watchOS 11.1. An app may be able to cause unexpected system termination or corrupt kernel memory.

Exploits (1)

nomisec WORKING POC 1 stars
by slds1 · poc
https://github.com/slds1/explt

The PoC exploits a race condition in the IOSurfaceRoot IOKit service by spawning two threads that repeatedly call IOConnectCallMethod with a malformed serialized dictionary. This likely triggers a use-after-free or other memory corruption vulnerability in the kernel, leading to local privilege escalation (LPE).

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Apple macOS (IOSurfaceRoot IOKit service)
No auth needed
Prerequisites: Local access to a vulnerable macOS system · IOKit service 'IOSurfaceRoot' must be present
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8

Scores

CVSS v3 7.8
EPSS 0.0066
EPSS Percentile 46.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-416
Status published
Products (10)
Apple/iOS and iPadOS < 18.1
apple/ipados 18.0 - 18.1
apple/iphone_os 18.0 - 18.1
Apple/macOS < 15.1
apple/tvos < 18.1
Apple/tvOS < 18.1
apple/visionos < 2.1
Apple/visionOS < 2.1
apple/watchos < 11.1
Apple/watchOS < 11.1
Published Oct 28, 2024
Tracked Since Feb 18, 2026