Cyber Resilience

CVE-2019-8506

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 December 2019

Published
18 December 2019
Modified
23 October 2025
KEV Added
04 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0802 92.3th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-8506 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Icloud. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A type confusion vulnerability, tracked as CVE-2019-8506 and assigned CWE-843, was present in the WebKit component used for processing web content. It affected multiple Apple platforms and applications, specifically iOS prior to 12.2, tvOS prior to 12.2, watchOS prior to 5.2, Safari prior to 12.1, iTunes for Windows prior to 12.9.4, and iCloud for Windows prior to 7.11. The flaw was resolved through improved memory handling in those releases.

An attacker can exploit the issue by serving maliciously crafted web content to a victim. With network access and no privileges required, successful exploitation leads to arbitrary code execution on the target system, carrying high impact to confidentiality, integrity, and availability as reflected in its CVSS 3.1 score of 8.8.

Apple security advisories corresponding to the listed support URLs detail the affected builds and direct users to apply the listed updates, which contain the memory-handling fixes that prevent the type confusion from being triggered during web content processing.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11. Processing maliciously crafted web content may lead to arbitrary…

more

code execution.

CWE(s)
KEV Date Added
04 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
icloud
≤ 7.11
apple
itunes
≤ 12.9.4
apple
safari
≤ 12.1
apple
iphone os
≤ 12.2
apple
tvos
≤ 12.2
apple
watchos
≤ 5.2
redhat
enterprise linux desktop
7.0
redhat
enterprise linux server
7.0
redhat
enterprise linux workstation
7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of security-relevant patches that remediate the WebKit type-confusion flaw before malicious web content can trigger arbitrary code execution.

prevent

Enforces memory-protection mechanisms that prevent the exact class of type-confusion and improper memory handling exploited by CVE-2019-8506.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code (JavaScript, etc.) delivered via web content, limiting the attack surface that leads to the code-execution payload.

References