A critical privilege escalation vulnerability in Apple’s macOS kernel has been revealed, posing a significant user risk. The flaw, identified as CVE-2025-24118, affects multiple versions of macOS, iPadOS, and macOS Sequoia. Security researcher Joseph Ravichandran from MIT CSAIL disclosed the issue, highlighting how a race condition in the macOS XNU kernel could lead to memory corruption and potentially allow attackers to execute code with kernel-level privileges.
The vulnerability impacts macOS Sonoma versions below 14.7.3, macOS Sequoia versions below 15.3, and iPadOS versions below 17.7.4. Apple has since released updates to address this vulnerability. Users are urged to update their devices immediately to mitigate the risk. The vulnerability arises from the intricate interaction of several advanced features in the XNU kernel, including Safe Memory Reclamation (SMR), Read-Only Pages in XNU, and Per-Thread Credentials.
The vulnerability occurs during updates to the p_ucred field, a process credential pointer safeguarded by SMR. The unsafe use of the non-atomic function zalloc_ro_mut during the update of this field introduced a race condition.
Critical macOS vulnerability mitigation steps
Attackers could exploit this bug by corrupting p_ucred to point to invalid or privileged credentials. Ravichandran’s Proof-of-Concept (PoC) demonstrates how to exploit the race condition using concurrent operations involving a Writer Thread and a Reader Thread. This creates a race condition where the reader thread can encounter partially updated credential pointers, potentially leading to memory corruption or privilege escalation.
Apple has addressed the issue in macOS 15.3, macOS Sonoma 14.7.3, and iPadOS 17.7.4. The fix involves replacing non-atomic writes with atomic operations for the p_ucred field, ensuring proper synchronization. Users and organizations are strongly advised to update to the latest versions of macOS and iPadOS to patch the vulnerability and avoid running unverified binaries or granting excessive permissions to untrusted applications. CVE-2025-24118 serves as a reminder of the persistent challenges in securing modern kernels against concurrency flaws.
While Apple has swiftly addressed the bug, the disclosure of a PoC underscores the need for vigilance. Users should act promptly to update their systems and protect sensitive data from potential exploitation.
Photo by Quaritsch Photography
