CVE-2024-27842: macOS Sonoma Kernel Privilege Escalation, PoC Published

A new privilege escalation vulnerability has been discovered in macOS 14 Sonoma, designated as CVE-2024-27842. While the severity of this vulnerability has not yet been determined, it affects all versions of macOS 14.x up to the recently released 14.5. A public exploit for this vulnerability is already available online.

The vulnerability resides in the Universal Disk Format (UDF) file system and is related to the input/output control (IOCTL) function. UDF itself is an open, vendor-independent file system format for data storage.

Apple macOS Big Sur

A proof-of-concept exploit for this vulnerability was published by a researcher using the pseudonym “WangTielei” on GitHub and additionally announced on his profile on the X platform.

According to available information, the vulnerability is associated with the IOAESAccelerator component in macOS, which is used to create a buffer of 0x28 bytes in length. This buffer is written to a stack buffer of 0x18 bytes in length, causing a stack overflow and leading to a kernel panic. Combining this vulnerability with IOCTL commands significantly expands the attack surface, allowing for the execution of arbitrary commands on the device.

Apple reports that the vulnerability was first identified by the Skyfall team from CertiK and was detailed in their private report to facilitate a rapid fix.

To mitigate CVE-2024-27842 and protect their data, users are advised to update their operating systems to macOS 14.5.