cbcvebase.
CVE-2019-8765
published 2019-12-18

CVE-2019-8765: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in watchOS 6.1. Processing maliciously crafted web content…

PriorityP264high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
6.98%
93.3th percentile
Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in watchOS 6.1. Processing maliciously crafted web content may lead to arbitrary code execution.

Affected

10 ranges
VendorProductVersion rangeFixed in
appleicloud_for_windows
appleicloud_for_windows
appleios_13.1_and_ipados
appleitunes_12.10.1_for_windows
applesafari
appletvos
applewatchos< 6.16.1
applewatchos
applewatchos>= unspecified < watchOS 6.1watchOS 6.1
debianwebkit2gtk< webkit2gtk 2.24.4-1 (bookworm)webkit2gtk 2.24.4-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.exploit-db.com/exploits/47565
path/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc
  • The root cause is in the DFG CSE (Common Subexpression Elimination) phase incorrectly replacing a GetGetterSetterByOffset node with a non-GetterSetter constant when a dominating block is marked unreachable. Detection should focus on JIT compiler paths in JavaScriptCore's DFGCSEPhase interacting with GetGetterSetterByOffset nodes.
  • The bug was originally discovered by Fuzzilli (a coverage-guided JavaScript engine fuzzer). Fuzzilli-generated JS harnesses targeting DFG JIT paths with getter/setter property descriptors on built-in properties like 'length' should be treated as high-risk inputs.
  • ·The type confusion only manifests after the JIT compiler (DFG/FTL) has compiled the vulnerable function — it requires the function to be called enough times to trigger JIT compilation. Single-shot or low-iteration executions may not trigger the bug.
  • ·In debug builds the bug causes an assertion crash (detectable); in release/production builds it results in silent memory corruption with potential for arbitrary code execution — no visible crash signal may be produced.
  • ·The vulnerability affects JavaScriptCore (WebKit) across multiple Apple platforms (watchOS, iOS/iPadOS, tvOS, iCloud for Windows) and is also present in the WebKitGTK package on Debian-based Linux distributions prior to version 2.24.4-1.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.