A race condition was addressed with improved locking. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. Mounting a maliciously crafted SMB network share may lead to system termination.
The error results from improper synchronization of access to shared resources (race condition, CWE-362) during SMB network share mounting. An attacker can prepare a malicious SMB server and trick a user into connecting to a specially crafted network share. During mounting, a race occurs between threads or processes, leading to system instability and sudden termination (crash). Apple resolved the issue by implementing an improved locking mechanism.
An attacker can cause sudden termination of the operating system, resulting in loss of machine availability. Based on the CVSS vector, potential impact on data confidentiality and integrity was also assessed.
Update the system to macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5, in which Apple implemented a patch. Details available at: https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375.
Apple macOS Sequoia versions earlier than 15.4, macOS Sonoma versions earlier than 14.7.5, and macOS Ventura versions earlier than 13.7.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple macOS
OSApple13.0 – 13.7.5 (bez)14.0 – 14.7.5 (bez)15.0 – 15.4 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki