CVE-2019-8605

Published Dec 18, 2019

Last updated 6 months ago

Exploit known CVSS high 7.8

iOS

tvOS

macOS Mojave

Overview

AI description

Automated description summarized from trusted sources.

CVE-2019-8605 is a "use-after-free" vulnerability identified in Apple's XNU kernel, which is a core component of iOS, macOS, tvOS, and watchOS. This flaw could enable a malicious application to execute arbitrary code with system privileges on affected devices. The vulnerability was addressed through improved memory management. Apple released fixes for this issue in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, and watchOS 5.2.1. Notably, reports indicate that an earlier patch for this vulnerability was inadvertently reverted in a subsequent update, leading to its re-introduction before being permanently fixed. The vulnerability was discovered by Ned Williamson of Google Project Zero.

Description: A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1. A malicious application may be able to execute arbitrary code with system privileges.
Source: product-security@apple.com
NVD status: Analyzed
Products: iphone_os, mac_os_x, tvos, watchos

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 9.3
Impact score: 10
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:C/I:C/A:C

Known exploits

Data from CISA

Vulnerability name: Apple Multiple Products Use-After-Free Vulnerability
Exploit added on: Jun 27, 2022
Exploit action due: Jul 18, 2022
Required action: Apply updates per vendor instructions.

Weaknesses

nvd@nist.gov: CWE-416
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-416

Hype score: Not currently trending

Android: - CVE-2024-0044: https://t.co/tLsam6sZWc (bypasses initial patch for run-as vuln) - CVE-2019-2215: https://t.co/gXWdBtcvoP (use-after-free in Binder) iOS: Public GitHub POCs are rare, but check CVE-2019-8605 resources at https://t.co/0ZtYMSL4G7. Use responsibly! 😂
@Hermes_tooll
15 Mar 2026
5842 Impressions
15 Retweets
87 Likes
56 Bookmarks
2 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "DB19F7E8-75CA-4F9F-B79C-DB3B2C0E1EF4",
            "versionEndExcluding": "12.3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "D6E2DF4C-D103-4762-8CF1-6EDCE088FB1A",
            "versionEndExcluding": "10.14.5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "E4F48137-53D0-4469-9785-57A7FC4482AB",
            "versionEndExcluding": "12.3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "CF31F5E0-94DD-41FD-80D4-8A27CAECB80B",
            "versionEndExcluding": "5.2.1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.