CVE-2020-9819

CVSS 4.3 MEDIUMEPSS 2.2%● KEVCWE-787

Vexday Risk Score

43Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 4.3EPSS 2.2%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 Jun 2020Published on NVD

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Plan a near-term fix — a public PoC already exists.

In short

A specially crafted email message can cause excessive memory usage or heap corruption on Apple devices, potentially crashing the mail app or causing instability.

Technical detail

A heap buffer overflow vulnerability exists in iOS/iPadOS mail processing that allows an attacker to send a maliciously crafted email message, triggering memory corruption without requiring user interaction beyond receiving the message. The vulnerability affects iOS 13.4 and earlier, iOS 12.4.6 and earlier, and watchOS versions prior to 6.2.5 and 5.3.7.

Summary generated and translated by AI from the official description.

A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.5 and iPadOS 13.5, iOS 12.4.7, watchOS 6.2.5, watchOS 5.3.7. Processing a maliciously crafted mail message may lead to heap corruption.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Affected products

Apple · iOS Apple · iOS-1 Apple · watchOS Apple · watchOS-1

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.apple.com/HT211168 https://support.apple.com/HT211169 https://support.apple.com/HT211175 https://support.apple.com/HT211176 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9819