⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-27950 — Improper Initialization in Apple IOS AND Ipados

CWE-665 — Improper Initialization11 documents6 sources

Severity

5.5MEDIUMNVD

VulnCheck8.8

EPSS

37.1%

top 2.82%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS AND Ipados Apple Macos Apple Watchos +3 more

Timeline

PublishedDec 8

KEV addedNov 3

KEV dueMay 3

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to disclose kernel memory.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5apple/macosunspecified — 11.0+5

▶NVDapple/macos11.0 — 11.0.1+1

▶CVEListV5apple/watchosunspecified — 7.1

▶NVDapple/watchos6.0 — 6.2.9+2

▶NVDapple/ipados< 14.2

🔴Vulnerability Details

GHSA

GHSA-76v6-7m6g-p6v4: A memory initialization issue was addressed↗2022-05-24

▶

Project0

The More You Know, The More You Know You Don’t Know - Project Zero↗2022-04-01

▶

Project0

In-the-Wild Series: October 2020 0-day discovery - Project Zero↗2021-03-01

▶

VulnCheck

Apple Multiple Products Memory Initialization Vulnerability↗2020

▶

Project0

Project Zero RCA: CVE-2020-27950: XNU Kernel Memory Disclosure in Mach Message Trailers↗

▶

📋Vendor Advisories

CISA

Apple Multiple Products Memory Initialization Vulnerability↗2021-11-03

▶

Apple

CVE-2020-27950: iOS 14.2 and iPadOS 14.2↗2020-11-05

▶