Cyber Resilience

CVE-2020-9819

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 09 June 2020

Published
09 June 2020
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
EPSS Score 0.0061 70.1th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-9819 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 29.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A memory consumption issue addressed through improved memory handling affects the Mail component in multiple Apple operating systems. The vulnerability, tracked as CVE-2020-9819 with CWE-787, can trigger heap corruption when a maliciously crafted mail message is processed. Impacted platforms include iOS 13.5 and iPadOS 13.5, iOS 12.4.7, watchOS 6.2.5, and watchOS 5.3.7, and the flaw carries a CVSS v3.1 score of 4.3 reflecting network attack vector, low complexity, required user interaction, and limited availability impact.

An unauthenticated remote attacker can exploit the issue by delivering a specially crafted email that the victim processes in the Mail application. Successful exploitation may result in heap corruption that disrupts service availability, though it does not enable direct confidentiality or integrity compromise under the reported scoring.

Apple security advisories HT211168, HT211169, HT211175, and HT211176 state that the issue is resolved by updating to the listed iOS, iPadOS, and watchOS versions, which incorporate the corrected memory handling. No additional workarounds are described in the references.

EU & UK References

Vulnerability details

A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.5 and iPadOS 13.5, iOS 12.4.7, watchOS 6.2.5, watchOS 5.3.7. Processing a maliciously crafted mail message may lead to heap corruption.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 13.5
apple
iphone os
≤ 12.4.7 · 13.0 — 13.5
apple
watchos
≤ 5.3.7 · 6.0.0 — 6.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches that correct the flawed memory handling in the Mail component, eliminating the heap corruption vector before exploitation.

prevent

Enforces memory protection mechanisms that can block or contain the out-of-bounds write (CWE-787) triggered by the crafted mail message.

prevent

Requires validation of input data, which would reject or safely handle the maliciously crafted mail message before it reaches vulnerable memory routines.

References