7.5
CVSSv2

CVE-2019-8641

Published: 18/12/2019 Updated: 19/12/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apple tvOS could allow a remote malicious user to execute arbitrary code on the system, caused by an out-of-bounds read in the Foundation component. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
AppleIphone Os1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 2.0, 2.0.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.2, 2.2.1, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.2, 3.2.1, 3.2.2, 4.0, 4.0.1, 4.0.2, 4.1, 4.2.1, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 5.0, 5.0.1, 5.1, 5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 7.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.1, 7.1.1, 7.1.2, 8.0, 8.0.1, 8.0.2, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.2, 8.3, 8.4, 8.4.1, 9.0, 9.0.1, 9.0.2, 9.1, 9.2, 9.2.1, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 10.0, 10.0.1, 10.0.2, 10.0.3, 10.1, 10.1.1, 10.2, 10.2.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 11, 11.0, 11.0.1, 11.0.2, 11.0.3, 11.1, 11.1.1, 11.1.2, 11.2, 11.2.1, 11.2.2, 11.2.5, 11.2.6, 11.3, 11.3.1, 11.4, 11.4.1, 12.0, 12.0.1, 12.1, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.2, 12.3, 12.3.1, 12.3.2
AppleMac Os X-, 10.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.5, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.6.7, 10.6.8, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.9, 10.9.1, 10.9.2, 10.9.3, 10.9.4, 10.9.5, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.11.0, 10.11.1, 10.11.2, 10.11.3, 10.11.4, 10.11.5, 10.11.6, 10.12, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.12.4, 10.12.5, 10.12.6, 10.13, 10.13.0, 10.13.1, 10.13.2, 10.13.3, 10.13.4, 10.13.5, 10.13.6, 10.14, 10.14.1, 10.14.2, 10.14.4, 10.14.5
AppleTvos1.0.0, 1.1.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 3.0.0, 3.0.1, 3.0.2, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.4.0, 4.4.2, 4.4.3, 4.4.4, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, 6.1.2, 6.2, 6.2.1, 7.0, 7.0.1, 7.0.2, 7.0.3, 7.1, 9.0, 9.0.1, 9.1, 9.1.1, 9.2, 9.2.1, 9.2.2, 10.0, 10.0.1, 10.1, 10.1.1, 10.2, 10.2.1, 10.2.2, 11, 11.0, 11.1, 11.2, 11.2.1, 11.2.6, 11.3, 11.4.1, 12, 12.0.1, 12.1, 12.1.1, 12.2
AppleWatchos1.0, 1.0.1, 2.0, 2.0.1, 2.1, 2.2, 2.2.0, 2.2.1, 2.2.2, 3.0, 3.1, 3.1.1, 3.1.3, 3.2, 3.2.2, 3.2.3, 4, 4.0, 4.0.1, 4.1, 4.2.3, 4.3, 4.3.1, 4.3.2, 5.0, 5.0.1, 5.1, 5.1.1, 5.1.2, 5.1.3, 5.2, 5.2.1

Vendor Advisories

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...
About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID when possible ...

Exploits

When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects It then calls the appropriate initWithCoder: on the allocated object If initWithCoder: or any method it calls decodes the same object, its gets back a reference to the original object in ...
During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API One of the classes that is allowed to be decoded from the incoming data is NSDictionary However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also implement secure coding can then be deserialized as well NSSharedK ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-2 macOS Mojave 10146 Supplemental Update 2, Security Update 2019-005 High Sierra, Security Update 2019-005 Sierra macOS Mojave 10146 Supplemental Update 2, Security Update 2019-005 High Sierra, Security Update 2019-005 Sierra are now available and address the following: Found ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-5 watchOS 6 watchOS 6 addresses the following: Foundation Available for: Apple Watch Series 3 and later Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved inp ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-1 iOS 1242 iOS 1242 is now available and addresses the following: Foundation Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPad touch 6th generation Impact: A remote attacker may be able to cause unexpected application termination ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-2 macOS Mojave 10146 Supplemental Update 2, Security Update 2019-005 High Sierra, Security Update 2019-005 Sierra macOS Mojave 10146 Supplemental Update 2, Security Update 2019-005 High Sierra, Security Update 2019-005 Sierra are now available and address the following: Found ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-5 watchOS 6 watchOS 6 addresses the following: Foundation Available for: Apple Watch Series 3 and later Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: An out-of-bounds read was addressed with improved inp ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-1 iOS 1242 iOS 1242 is now available and addresses the following: Foundation Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPad touch 6th generation Impact: A remote attacker may be able to cause unexpected application termination ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-3 iOS 13 iOS 13 addresses the following: Bluetooth Available for: iPhone 6s and later Impact: Notification previews may show on Bluetooth accessories even when previews are disabled Description: A logic issue existed with the display of notification previews This issue was addre ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-9-26-3 iOS 13 iOS 13 addresses the following: Bluetooth Available for: iPhone 6s and later Impact: Notification previews may show on Bluetooth accessories even when previews are disabled Description: A logic issue existed with the display of notification previews This issue was addre ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-4 watchOS 53 watchOS 53 is now available and addresses the following: Core Data Available for: Apple Watch Series 1 and later Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation CVE-2019-8646: Nat ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-3 Additional information for APPLE-SA-2019-7-22-4 watchOS 53 watchOS 53 addresses the following: Bluetooth Available for: Apple Watch Series 1 and later Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-10-29-8 Additional information for APPLE-SA-2019-9-26-5 watchOS 6 watchOS 6 addresses the following: Audio Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-1 Additional information for APPLE-SA-2019-7-22-2 macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra address the following: AppleGraphicsControl Av ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-4 Additional information for APPLE-SA-2019-7-22-5 tvOS 124 tvOS 124 addresses the following: Bluetooth Available for: Apple TV 4K and Apple TV HD Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-5 tvOS 124 tvOS 124 is now available and addresses the following: Core Data Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation CVE-2019-8646: Natalie Si ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-1 Additional information for APPLE-SA-2019-7-22-2 macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra address the following: AppleGraphicsControl Av ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-4 watchOS 53 watchOS 53 is now available and addresses the following: Core Data Available for: Apple Watch Series 1 and later Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation CVE-2019-8646: Nat ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-4 Additional information for APPLE-SA-2019-7-22-5 tvOS 124 tvOS 124 addresses the following: Bluetooth Available for: Apple TV 4K and Apple TV HD Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth - KNOB ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-2 macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra macOS Mojave 10146, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra are now available and address the following: AppleGraphicsControl Available for: macOS Mojave ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-3 Additional information for APPLE-SA-2019-7-22-4 watchOS 53 watchOS 53 addresses the following: Bluetooth Available for: Apple Watch Series 1 and later Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-10-29-6 Additional information for APPLE-SA-2019-9-26-3 iOS 13 iOS 13 addresses the following: Bluetooth Available for: iPhone 6s and later Impact: Notification previews may show on Bluetooth accessories even when previews are disabled Description: A logic issue existed with the displ ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-1 iOS 124 iOS 124 is now available and addresses the following: Core Data Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with i ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-2 Additional information for APPLE-SA-2019-7-22-1 iOS 124 iOS 124 addresses the following: Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later Impact: An attacker in a privileged network position may be able to intercept Blu ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-1 iOS 124 iOS 124 is now available and addresses the following: Core Data Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with i ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-7-22-5 tvOS 124 tvOS 124 is now available and addresses the following: Core Data Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to leak memory Description: An out-of-bounds read was addressed with improved input validation CVE-2019-8646: Natalie Si ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-8-13-2 Additional information for APPLE-SA-2019-7-22-1 iOS 124 iOS 124 addresses the following: Bluetooth Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later Impact: An attacker in a privileged network position may be able to intercept Blu ...

Recent Articles

Got a pre-A12 iPhone? Love jailbreaks? Happy Friday! 'Unpatchable tethered Boot ROM exploit' released
The Register • Shaun Nichols in San Francisco • 27 Sep 2019

Coder claims iThings older than two years can be unlocked from Apple's clutches

A programmer claims to have found a way to execute arbitrary code on recent-ish iPhones and iPads, paving the way for full-blown tethered jailbreaks.
And, we're told, it is impossible for Apple to block these shenanigans as it involves a vulnerability baked into the devices' immutable Boot ROM.
Specifically, the coder, who goes by the handle axi0mX, on Friday said they had built checkm8: "A permanent unpatchable bootrom exploit for hundreds of millions of iOS devices ... Most generat...

Apple iMessage Flaw Allows Remote Attackers to Read iPhone Messages
Threatpost • Tara Seals • 30 Jul 2019

Five bugs in Apple’s iMessage service for the iPhone have been uncovered that require no user interaction to exploit, including one that would allow remote attackers to access content stored on iOS devices.
First discovered by Google Project Zero security researcher Natalie Silvanovich, Apple has fully patched four of the flaws as part of the 12.4 iOS update.
CVE-2019-8646 is the bug that allows an attacker to read files off a remote device with no user interaction. An exploit coul...

It's 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump
The Register • Shaun Nichols in San Francisco • 23 Jul 2019

20 WebKit flaws among latest batch of bug fixes

On Monday Apple released a fresh round of security fixes for a load of its operating systems and applications.
The July patch batch addresses vulnerabilities in iOS, MacOS, Safari, watchOS, and tvOS, though many of the updates are for common components across each of the platforms, such as the WebKit browser engine.
For iOS, the 12.4 update brings a total of 37 fixes for various components in the mobile operating system.
More than half of those CVE-listed flaws were found in We...