Cyber Resilience

CVE-2014-4404

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 September 2014

Published
18 September 2014
Modified
21 April 2026
KEV Added
10 February 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6200 98.4th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2014-4404 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Mac Os X. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A heap-based buffer overflow vulnerability exists in the IOHIDFamily component on Apple iOS versions prior to 8 and Apple TV versions prior to 7. The flaw, assigned CWE-787, is triggered when an application supplies specially crafted key-mapping properties, leading to memory corruption that can be leveraged for code execution.

An attacker with the ability to run a malicious application on an affected device can exploit the issue to achieve arbitrary code execution in a privileged context. The attack requires local access and user interaction but needs no prior privileges on the system, corresponding to a CVSS 3.1 base score of 7.8.

Apple addressed the vulnerability through updates that bring iOS to version 8 and Apple TV to version 7, as noted in the vendor's security announcements and support documentation. No further mitigation details such as configuration changes or workarounds are specified in the available references.

EU & UK References

Vulnerability details

Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.

CWE(s)
KEV Date Added
10 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 8.0
apple
mac os x
≤ 10.10.0 · 10.10.1 — 10.10.3
apple
tvos
≤ 7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements memory protection mechanisms that would block the heap-based buffer overflow (CWE-787) in IOHIDFamily before memory corruption occurs.

prevent

Requires timely application of patches that remediate the specific IOHIDFamily flaw, exactly as Apple did by updating to iOS 8 / Apple TV 7.

prevent

Mandates validation of untrusted input (crafted key-mapping properties supplied by an app) to reject malformed data that triggers the overflow.

References