Cyber Resilience

CVE-2020-3837

HighCISA KEVActive ExploitationEUVD Exploited

Published: 27 February 2020

Published
27 February 2020
Modified
23 October 2025
KEV Added
27 June 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0642 91.3th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-3837 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

A memory corruption vulnerability tracked as CVE-2020-3837 and assigned CWE-787 affects Apple platforms running iOS, iPadOS, macOS Catalina, tvOS, and watchOS. The root cause is insufficient validation during memory operations that can be triggered by an application, and the flaw received a CVSS 3.1 base score of 7.8.

An unauthenticated local attacker who can persuade a user to run a malicious application may leverage the issue to corrupt kernel memory and execute arbitrary code with kernel privileges, resulting in full control over the affected device.

Apple has released fixes that improve memory handling in iOS 13.3.1 and iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, and watchOS 6.1.2; the corresponding security advisories direct administrators and users to install these updates to eliminate the exposure.

EU & UK References

Vulnerability details

A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS 6.1.2. An application may be able to execute arbitrary code with kernel privileges.

CWE(s)
KEV Date Added
27 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 13.3.1
apple
iphone os
≤ 13.3.1
apple
mac os x
≤ 10.15.3
apple
tvos
≤ 13.3.1
apple
watchos
≤ 6.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory protection mechanisms that would have blocked the kernel memory corruption exploited by CVE-2020-3837.

prevent

Requires separate execution domains for processes, preventing an application from corrupting kernel memory and obtaining kernel privileges.

prevent

Mandates timely installation of the vendor patches that corrected the insufficient memory-handling flaw in affected Apple platforms.

References