CVE-2014-4404
HIGH severity · CVSS 7.8 · Out-of-bounds write · actively exploited (CISA KEV)
7.8CVSS HIGH exploited
Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Added to KEV 2022-02-10. US federal agencies must patch by 2022-08-10.
Summary
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)49%
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlAdvisory
- http://support.apple.com/kb/HT6441Advisory
- http://support.apple.com/kb/HT6442Advisory
- http://archives.neohapsis.com/archives/bugtraq/2014-09/0106.html
- http://archives.neohapsis.com/archives/bugtraq/2014-09/0107.html
- http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
- http://www.securityfocus.com/bid/69882Advisory
- http://www.securityfocus.com/bid/69947Advisory