⚠ Actively exploited
Added to CISA KEV on 2022-02-10. Federal agencies required to patch by 2022-08-10. Required action: Apply updates per vendor instructions..

CVE-2014-4404Out-of-bounds Write in Apple Iphone OS

CWE-787Out-of-bounds WriteCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents9 sources
Severity
7.8HIGHNVD
EPSS
62.0%
top 1.65%
CISA KEV
KEV
Added 2022-02-10
Due 2022-08-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Apple Iphone OSApple MAC OS XApple Tvos+1 more
Timeline
PublishedSep 18
KEV addedFeb 10
KEV dueAug 10
Latest updateOct 7
CISA Required Action: Apply updates per vendor instructions.

Description

Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDapple/tvos< 7.0
NVDapple/mac_os_x10.10.110.10.3+1
NVDapple/iphone_os< 8.0

🔴Vulnerability Details

3
GHSA
GHSA-frxp-ch88-g8fc: Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged conte2022-05-14
Project0
More Mac OS X and iPhone sandbox escapes and kernel bugs - Project Zero2014-10-01
VulnCheck
Apple OS X Heap-Based Buffer Overflow Vulnerability2014

💥Exploits & PoCs

2
Exploit-DB
Apple Mac OSX - IOKit Keyboard Driver Privilege Escalation (Metasploit)2014-12-02
Metasploit
Mac OS X IOKit Keyboard Driver Root Privilege Escalation

📋Vendor Advisories

2
CISA
Apple OS X Heap-Based Buffer Overflow Vulnerability2022-02-10
Apple
CVE-2014-4404: OS X Yosemite v10.10.3 and Security Update 2015-004

📄Research Papers

1
arXiv
Cybersecurity Threat Hunting and Vulnerability Analysis Using a Neo4j Graph Database of Open Source Intelligence2024-10-07