A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution, according to security researcher Joseph Ravichandran (@0xjprx) of MIT CSAIL. Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.
The flaw arises from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings, and memcpy behavior—culminating in a race condition that allows unauthorized credential modification.
CVE-2025-24118 involves a concurrency issue within Apple’s XNU kernel, specifically targeting a process’s credentials stored in a read-only structure. Under normal circumstances, these credentials are protected by Safe Memory Reclamation (SMR) to prevent corruption. However, a non-atomic memory update creates a time-of-check to time-of-use (TOCTOU) race condition, allowing an attacker to corrupt their credential pointer.
“This bug allows for corruption of thread’s kauth_cred_t credential pointer,” Ravichandran explains in his analysis. “Specifically, the SMR-protected p_ucred field of a process’s read-only struct can be corrupted to point to invalid memory, or potentially to a different (maybe even more privileged) credential.”
This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates.
Ravichandran’s analysis delves into the technical details of the vulnerability, explaining how the different kernel features interact to create the race condition. The analysis also provides a proof-of-concept (PoC) exploit that demonstrates the CVE-2025-24118 vulnerability.
Apple has patched this vulnerability in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 by improving memory handling and enforcing atomic updates for credential pointers.
Related Posts:
- Developer exploited CVE-2022-46689 to overwrite fonts on unjailbroken iOS 16.1.2
- DTLS “ClientHello” Race Condition: A New Threat to WebRTC Security
- Phishing Scam targets iOS user in India
- CVE-2025-24480 (CVSS 9.8): Rockwell Automation Addresses Critical Flaw in FactoryTalk View ME
