⚠ Actively exploited

Added to CISA KEV on 2022-06-27. Federal agencies required to patch by 2022-07-18. Required action: Apply updates per vendor instructions..

CVE-2020-9907 — Out-of-bounds Write in Apple Tvos

CWE-787 — Out-of-bounds Write CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.5%

top 33.44%

CISA KEV

KEV

Added 2022-06-27

Due 2022-07-18

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple IOS Apple Tvos Apple Ipados +1 more

Timeline

PublishedOct 16

KEV addedJun 27

KEV dueJul 18

CISA Required Action: Apply updates per vendor instructions.

Description

A memory corruption issue was addressed by removing the vulnerable code. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8. An application may be able to execute arbitrary code with kernel privileges.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5apple/tvosunspecified — tvOS 13.4.8

▶NVDapple/tvos< 13.4.8

▶NVDapple/ipados< 13.6

▶CVEListV5apple/iosunspecified — iOS 13.6 and iPadOS 13.6

▶NVDapple/iphone_os< 13.6

🔴Vulnerability Details

GHSA

GHSA-x2gp-c4cv-7chc: A memory corruption issue was addressed by removing the vulnerable code↗2022-05-24

▶

CVEList

CVE-2020-9907: A memory corruption issue was addressed by removing the vulnerable code↗2020-10-16

▶

VulnCheck

Apple Multiple Products Memory Corruption Vulnerability↗2020

▶

📋Vendor Advisories

CISA

Apple Multiple Products Memory Corruption Vulnerability↗2022-06-27

▶

Apple

CVE-2020-9907: iOS 13.6 and iPadOS 13.6↗2020-07-15

▶

Apple

CVE-2020-9907: tvOS 13.4.8↗2020-07-15

▶