Cyber Resilience

CVE-2019-7286

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 December 2019

Published
18 December 2019
Modified
23 October 2025
KEV Added
23 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0158 82.0th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-7286 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 18.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A memory corruption vulnerability tracked as CVE-2019-7286 and assigned CWE-787 was present in Apple iOS and macOS. The flaw resulted from insufficient input validation and could permit an application to obtain elevated privileges on the system. It received a CVSS v3.1 base score of 7.8 and was corrected by improved input validation in iOS 12.1.4 and the macOS Mojave 10.14.3 Supplemental Update.

An attacker can exploit the issue locally without prior privileges, provided the victim is tricked into running a malicious application. Successful exploitation yields high impact on confidentiality, integrity, and availability.

Apple security advisories for the affected platforms direct users to install the listed updates, which are available via the support pages at support.apple.com. No additional context on in-the-wild exploitation is supplied in the references.

EU & UK References

Vulnerability details

A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. An application may be able to gain elevated privileges.

CWE(s)
KEV Date Added
23 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 12.1.4
apple
mac os x
≤ 10.14.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the root cause by enforcing input validation to block malformed data that triggers memory corruption (CWE-787) and privilege escalation.

prevent

Provides memory-protection mechanisms that would have prevented exploitation of the out-of-bounds write leading to elevated privileges.

prevent

Requires timely installation of the vendor patches (iOS 12.1.4 / macOS 10.14.3) that corrected the insufficient input-validation flaw.

References