Cyber Resilience

CVE-2020-9818

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 June 2020

Published
09 June 2020
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0087 75.6th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-9818 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 24.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An out-of-bounds write vulnerability, tracked as CVE-2020-9818 and assigned CWE-787, affects the mail message processing component in Apple iOS, iPadOS, and watchOS. The flaw stems from insufficient bounds checking when handling crafted input, which can result in unexpected memory modification or application termination. It carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, no required privileges, and required user interaction.

An unauthenticated remote attacker can exploit the issue by sending a maliciously crafted email message that the victim processes in the Mail application. Successful exploitation may allow arbitrary memory writes, enabling impacts to confidentiality, integrity, and availability of the affected process without further user action beyond viewing the message.

Apple security advisories for iOS 13.5, iPadOS 13.5, iOS 12.4.7, and watchOS 6.2.5 state that the vulnerability is resolved through improved bounds checking in those releases, with the corresponding updates available via the referenced support documents. No additional mitigation details or workarounds are specified in the provided references.

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 13.5 and iPadOS 13.5, iOS 12.4.7, watchOS 6.2.5. Processing a maliciously crafted mail message may lead to unexpected memory modification or application termination.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 13.5
apple
iphone os
≤ 12.4.7 · 13.0 — 13.5
apple
watchos
≤ 6.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of mail-message input to enforce bounds checking and thereby block the out-of-bounds write described in CVE-2020-9818.

prevent

Mandates timely application of the vendor patches (iOS 13.5 / 12.4.7, watchOS 6.2.5) that implement the improved bounds checking fixing CVE-2020-9818.

prevent

Requires memory-protection mechanisms that can contain or prevent the arbitrary memory modification resulting from the out-of-bounds write in the Mail process.

References