cbcvebase.
CVE-2016-1741
published 2016-03-24

CVE-2016-1741: The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
12.15%
95.6th percentile
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x<= 10.11.3
appleos_x_el_capitan_v10.11.4_and_security_update_2016-002

Detection & IOCsextracted from sources · hover to see the quote

commandIOConnectCallMethod(conn, 0x10a, inputScalar, inputScalarCnt, inputStruct, inputStructCnt, outputScalar, &outputScalarCnt, outputStruct, &outputStructCnt)
otherIOAccelerator userclient type 5, external method 0x10a
otherinputScalar[0] = 0x0f0f0f0f
  • Monitor for IOServiceOpen calls targeting 'IOAccelerator' with userclient type 5, followed by IOConnectCallMethod invocations using selector 0x10a (nvDevice::ReleaseDeviceTexture). This is the specific attack vector for CVE-2016-1741.
  • The exploit passes a crafted scalar value 0x0f0f0f0f as the single uint argument to external method 0x10a. The driver masks it with 0x7FFFFFFF and uses it as an unchecked array index to read an object pointer and call a virtual method — look for anomalous large/crafted index values passed to this selector.
  • Exploitation requires a crafted app running on macOS. Privilege escalation to kernel context occurs via the NVIDIA GeForce IOAccelerator driver. Systems running OS X prior to 10.11.4 without Security Update 2016-002 are vulnerable.
  • ·The vulnerability is in the NVIDIA GeForce IOAccelerator kernel driver on macOS only. The attack surface is limited to local apps with access to the IOAccelerator IOService; it is not remotely exploitable.
  • ·The fix is included in OS X El Capitan v10.11.4 and Security Update 2016-002. Systems without NVIDIA graphics hardware or without the GeForce IOAccelerator kext loaded are not affected.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.