Cyber Resilience

CVE-2019-8526

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 December 2019

Published
18 December 2019
Modified
23 October 2025
KEV Added
17 April 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.5th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-8526 is a high-severity Use After Free (CWE-416) vulnerability in Apple Mac Os X. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 43.5th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability, tracked as CVE-2019-8526 and assigned CWE-416, affects macOS Mojave prior to version 10.14.4. The flaw stems from insufficient memory management that can leave a dangling reference after an object is freed, enabling improper access to previously allocated memory regions. The issue carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

An attacker with local access and low privileges can trigger the condition through a malicious application running on the affected system. Successful exploitation allows the application to obtain elevated privileges, potentially leading to full control over the host.

Apple addressed the vulnerability in the macOS Mojave 10.14.4 update published under security advisory HT209600. The same advisory is referenced by CISA in its catalog of known exploited vulnerabilities, confirming that the issue has been observed in active exploitation campaigns.

EU & UK References

Vulnerability details

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. An application may be able to gain elevated privileges.

CWE(s)
KEV Date Added
17 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
mac os x
≤ 10.14.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protections that eliminate use-after-free conditions such as the dangling reference in CVE-2019-8526.

prevent

Requires timely application of the macOS 10.14.4 patch that removes the flawed memory-management code.

prevent

Limits initial privileges of the malicious application, reducing the impact of successful local exploitation to full system control.

References