⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-27930Out-of-bounds Write in Apple IOS AND Ipados

CWE-787Out-of-bounds WriteCWE-20Improper Input Validation12 documents7 sources
Severity
7.8HIGHNVD
VulnCheck8.8
EPSS
43.9%
top 2.45%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Apple IOS AND IpadosApple MacosApple Watchos+3 more
Timeline
PublishedDec 8
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. Processing a maliciously crafted font may lead to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages8 packages

CVEListV5apple/macosunspecified11.0+5
NVDapple/macos11.011.0.1
CVEListV5apple/watchosunspecified7.1
NVDapple/watchos6.06.2.9+2
NVDapple/mac_os_x< 10.15.7

🔴Vulnerability Details

9
GHSA
GHSA-pcwp-p8jm-7xc7: A memory corruption issue was addressed with improved input validation2022-05-24
Project0
In-the-Wild Series: October 2020 0-day discovery - Project Zero2021-03-01
Project0
Déjà vu-lnerability - Project Zero2021-02-01
CVEList
CVE-2020-27930: A memory corruption issue was addressed with improved input validation2020-12-08
VulnCheck
Apple Multiple Products Memory Corruption Vulnerability2020

📋Vendor Advisories

2
CISA
Apple Multiple Products Memory Corruption Vulnerability2021-11-03
Apple
CVE-2020-27930: iOS 14.2 and iPadOS 14.22020-11-05
CVE-2020-27930 — Out-of-bounds Write in Apple | cvebase