⚠ Actively exploited
Added to CISA KEV on 2022-05-23. Federal agencies required to patch by 2022-06-13. Required action: Apply updates per vendor instructions..

CVE-2019-7286Out-of-bounds Write in Apple Macos

CWE-787Out-of-bounds Write15 documents8 sources
Severity
7.8HIGHNVD
EPSS
1.5%
top 19.16%
CISA KEV
KEV
Added 2022-05-23
Due 2022-06-13
Exploit
Exploited in wild
Active exploitation observed
Affected products
4
Apple IOSApple MacosApple Iphone OS+1 more
Timeline
PublishedDec 18
KEV addedMay 23
Latest updateMay 24
KEV dueJun 13
CISA Required Action: Apply updates per vendor instructions.

Description

A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. An application may be able to gain elevated privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5apple/macosunspecifiedmacOS Mojave 10.14.3 Supplemental Update
NVDapple/mac_os_x< 10.14.3
CVEListV5apple/iosunspecifiediOS 12.1.4
NVDapple/iphone_os< 12.1.4

🔴Vulnerability Details

8
GHSA
GHSA-7c5f-gfr7-vw4v: A memory corruption issue was addressed with improved input validation2022-05-24
Project0
Root Cause Analyses for 0-day In-the-Wild Exploits - Project Zero2020-07-01
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero2020-07-01
CVEList
CVE-2019-7286: A memory corruption issue was addressed with improved input validation2019-12-18
Project0
A very deep dive into iOS Exploit chains found in the wild - Project Zero2019-08-01

💥Exploits & PoCs

1
Exploit-DB
iOS 12.1.3 - 'cfprefsd' Memory Corruption2019-05-06

📋Vendor Advisories

5
CISA
Apple Multiple Products Memory Corruption Vulnerability2022-05-23
Apple
CVE-2019-7286: watchOS 5.22019-03-27
Apple
CVE-2019-7286: tvOS 12.22019-03-25
Apple
CVE-2019-7286: iOS 12.1.42019-02-07
Apple
CVE-2019-7286: macOS Mojave 10.14.3 Supplemental Update2019-02-07
CVE-2019-7286 — Out-of-bounds Write in Apple Macos | cvebase