⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-8646Out-of-bounds Read in Apple Macos

CWE-125Out-of-bounds Read13 documents6 sources
Severity
7.5HIGHNVD
EPSS
5.2%
top 10.03%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Apple IOSApple MacosApple Tvos+3 more
Timeline
PublishedDec 18
Latest updateMay 24

Description

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. A remote attacker may be able to leak memory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

CVEListV5apple/tvosunspecifiedtvOS 12.4
NVDapple/tvos< 12.4
CVEListV5apple/macosunspecifiedmacOS Mojave 10.14.6
CVEListV5apple/watchosunspecifiedwatchOS 5.3
NVDapple/watchos< 5.3

🔴Vulnerability Details

7
GHSA
GHSA-rwgf-fjm3-5vp2: An out-of-bounds read was addressed with improved input validation2022-05-24
Project0
Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution - Project Zero2020-01-01
Project0
Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass - Project Zero2020-01-01
Project0
Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 - Project Zero2020-01-01
CVEList
CVE-2019-8646: An out-of-bounds read was addressed with improved input validation2019-12-18

💥Exploits & PoCs

1
Exploit-DB
iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects2019-07-30

📋Vendor Advisories

4
Apple
CVE-2019-8646: iOS 12.42019-07-22
Apple
CVE-2019-8646: tvOS 12.42019-07-22
Apple
CVE-2019-8646: watchOS 5.32019-07-22
Apple
CVE-2019-8646: macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra2019-07-22
CVE-2019-8646 — Out-of-bounds Read in Apple Macos | cvebase