CVE-2019-8526
Published: 18 December 2019
Summary
CVE-2019-8526 is a high-severity Use After Free (CWE-416) vulnerability in Apple Mac Os X. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 43.5th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A use-after-free vulnerability, tracked as CVE-2019-8526 and assigned CWE-416, affects macOS Mojave prior to version 10.14.4. The flaw stems from insufficient memory management that can leave a dangling reference after an object is freed, enabling improper access to previously allocated memory regions. The issue carries a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
An attacker with local access and low privileges can trigger the condition through a malicious application running on the affected system. Successful exploitation allows the application to obtain elevated privileges, potentially leading to full control over the host.
Apple addressed the vulnerability in the macOS Mojave 10.14.4 update published under security advisory HT209600. The same advisory is referenced by CISA in its catalog of known exploited vulnerabilities, confirming that the issue has been observed in active exploitation campaigns.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-17916
Vulnerability details
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. An application may be able to gain elevated privileges.
- CWE(s)
- KEV Date Added
- 17 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protections that eliminate use-after-free conditions such as the dangling reference in CVE-2019-8526.
Requires timely application of the macOS 10.14.4 patch that removes the flawed memory-management code.
Limits initial privileges of the malicious application, reducing the impact of successful local exploitation to full system control.