CVE-2020-27930

CVSS 7.8 HIGHEPSS 22.2%● KEVCWE-787

In short

A flaw in how Apple devices process font files can allow attackers to run malicious code on your device by sending a specially crafted font. This is a serious vulnerability because it lets attackers take control of your system.

Technical detail

Out-of-bounds write vulnerability (CWE-787) in font processing on Apple platforms (macOS, iOS, watchOS). Attack vector requires user interaction or application-level font rendering; successful exploitation leads to arbitrary code execution with the privileges of the affected application. Fixed through improved input validation in font parsing.

Summary generated and translated by AI from the official description.

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. Processing a maliciously crafted font may lead to arbitrary code execution.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · watchOS

public PoCs found — 2

githubgithub.com/FunPhishing/Apple-Safari-Remote-Code-Execution-CVE-2020-27930★ 0 cve_referencepacketstormsecurity.com/files/161294/Apple-Safari-Remote-Code-Execution.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References