CVE-2019-7286
Published: 18 December 2019
Summary
CVE-2019-7286 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 18.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A memory corruption vulnerability tracked as CVE-2019-7286 and assigned CWE-787 was present in Apple iOS and macOS. The flaw resulted from insufficient input validation and could permit an application to obtain elevated privileges on the system. It received a CVSS v3.1 base score of 7.8 and was corrected by improved input validation in iOS 12.1.4 and the macOS Mojave 10.14.3 Supplemental Update.
An attacker can exploit the issue locally without prior privileges, provided the victim is tricked into running a malicious application. Successful exploitation yields high impact on confidentiality, integrity, and availability.
Apple security advisories for the affected platforms direct users to install the listed updates, which are available via the support pages at support.apple.com. No additional context on in-the-wild exploitation is supplied in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-16830
Vulnerability details
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.1.4, macOS Mojave 10.14.3 Supplemental Update. An application may be able to gain elevated privileges.
- CWE(s)
- KEV Date Added
- 23 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the root cause by enforcing input validation to block malformed data that triggers memory corruption (CWE-787) and privilege escalation.
Provides memory-protection mechanisms that would have prevented exploitation of the out-of-bounds write leading to elevated privileges.
Requires timely installation of the vendor patches (iOS 12.1.4 / macOS 10.14.3) that corrected the insufficient input-validation flaw.