CVE-2024-23296

What is Apple RTKit?

RTKit is Apple's proprietary real-time operating system that runs on dedicated coprocessors embedded in Apple SoCs (A-series, M-series, and S-series chips). RTKit coprocessors handle security-sensitive functions including the Secure Enclave Processor (SEP), neural engine management, Touch ID/Face ID processing, and crucially — Kernel Integrity Protection (KIP). KIP is a hardware-enforced mechanism that prevents modification of kernel code and critical read-only kernel data even if an attacker has achieved kernel read/write access. Subverting RTKit is the key to defeating KIP and achieving unrestricted kernel control on modern Apple devices.

Overview

CVE-2024-23296 is a zero-day memory corruption vulnerability in Apple RTKit that allows an attacker who has already achieved arbitrary kernel read and write capability to bypass kernel memory protections enforced by the RTKit coprocessor. Apple confirmed "Apple is aware of a report that this issue may have been exploited," consistent with active use in targeted surveillance exploit chains. CVE-2024-23296 was disclosed and patched simultaneously with CVE-2024-23225 (an XNU kernel memory corruption) on March 5, 2024 — the two CVEs together represent the complete kernel protection bypass stage of a sophisticated iOS/macOS exploit chain.

Affected Versions

Technical Details

CWE-787 (Out-of-Bounds Write). RTKit firmware on Apple coprocessors contains a memory corruption vulnerability — an out-of-bounds write that can be triggered from the application processor side (the main CPU running iOS/macOS) when it communicates with the RTKit coprocessor. Because RTKit manages KIP (Kernel Integrity Protection), corrupting RTKit's state allows an attacker to instruct the coprocessor to disable or bypass the enforcement of read-only kernel memory protections.

The exploit chain role of CVE-2024-23296:

1. A preceding vulnerability provides initial kernel read/write access (e.g., a kernel UAF or memory corruption)
2. CVE-2024-23225 corrupts XNU kernel memory to weaken primary protections
3. CVE-2024-23296 corrupts RTKit state to disable KIP, removing the hardware-enforced last line of defense
4. The attacker now has unrestricted kernel control — can install persistent rootkit software, bypass secure boot, and exfiltrate all data including SEP-protected secrets

This combination allows complete, persistent compromise of a fully-patched Apple device.

Discovery

Identified through active exploitation reporting — Apple's advisory language confirms a credible report of exploitation in the wild, consistent with a commercial spyware or nation-state actor using the chain in targeted attacks. The simultaneous patching of both CVE-2024-23225 and CVE-2024-23296 indicates they were discovered together as a functional exploit chain.

Exploitation Context

RTKit vulnerabilities are among the most technically sophisticated and high-value in iOS security research because RTKit controls the hardware enforcement of iOS kernel integrity. Defeating RTKit enables persistent compromise that survives kernel patches and potentially even device restarts. This level of capability is the hallmark of commercial spyware platforms like Pegasus (NSO Group) and nation-state iOS exploit chains. Targets are invariably high-value individuals rather than mass populations.

Remediation

1. Update immediately to iOS 17.4/16.7.6, iPadOS 17.4/16.7.6, macOS Sonoma 14.4, macOS Ventura 13.6.5, macOS Monterey 12.7.4, tvOS 17.4, or watchOS 10.4.
2. Enable Lockdown Mode on Apple devices used by journalists, activists, executives, and government officials — it hardens the inter-process communication channels that coprocessor exploit chains often traverse.
3. Restart devices promptly after applying updates — some exploitation techniques rely on in-memory state that is cleared on restart.
4. For organizations managing high-risk individuals' devices, consider regular forensic checks using tools like iMazing or Amnesty Tech's Mobile Verification Toolkit (MVT) to detect spyware indicators.