Unrated severityNVD Advisory· Published Apr 21, 2006· Updated Apr 16, 2026

CVE-2006-1985

Description

Heap buffer overflow in BOMArchiveHelper on Mac OS X 10.4.6 and earlier allows arbitrary code execution via crafted archive with long path names.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer overflow in BOMArchiveHelper on Mac OS X 10.4.6 and earlier allows arbitrary code execution via crafted archive with long path names.

Vulnerability

Heap-based buffer overflow in BOM BOMArchiveHelper version 10.4 (6.3) Build 312, as used in Mac OS X 10.4.6 and earlier. The vulnerability resides in the BOMStackPop function and is triggered when processing a crafted archive (e.g., ZIP) containing overly long path names, leading to a heap overflow [1][2].

Exploitation

User-assisted exploitation requires the victim to open a malicious archive. No special privileges or network access are needed beyond user interaction. An attacker crafts an archive with long path names; upon extraction, the overflow occurs.

Impact

Successful exploitation allows arbitrary code execution with the privileges of the logged-in user, potentially leading to full system compromise.

Mitigation

Apple released Security Update 2006-003 for Mac OS X 10.4.6, which addresses this vulnerability. Users should apply the update. No workarounds have been published.

References

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari4 versions
cpe:2.3:a:apple:safari:2.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:apple:safari:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:2.0.3:*:*:*:*:*:*:*
Apple Inc./Mac OS X17 versions
cpe:2.3:o:apple:mac_os_x:10.3:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:o:apple:mac_os_x:10.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.6:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.7:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.8:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.3.9:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.4.6:*:*:*:*:*:*:*
Apple Inc./Mac OS X Server17 versions
cpe:2.3:o:apple:mac_os_x_server:10.3:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:o:apple:mac_os_x_server:10.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.6:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.7:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.8:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.3.9:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.4.6:*:*:*:*:*:*:*
Apple Inc./Bomarchivehelperllm-fuzzy
Range: <=10.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2006/May/msg00003.htmlnvdPatch
secunia.com/advisories/20077nvdPatchVendor Advisory
www.security-protocols.com/sp-x25-advisory.phpnvdPatchVendor Advisory
www.us-cert.gov/cas/techalerts/TA06-132A.htmlnvdPatchThird Party AdvisoryUS Government Resource
secunia.com/advisories/19686nvdVendor Advisory
www.vupen.com/english/advisories/2006/1452nvdVendor Advisory
www.vupen.com/english/advisories/2006/1779nvdVendor Advisory
securitytracker.com/idnvd
www.osvdb.org/24819nvd
www.security-protocols.com/modules.phpnvd
www.securityfocus.com/bid/17634nvd
www.securityfocus.com/bid/17951nvd
exchange.xforce.ibmcloud.com/vulnerabilities/25945nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.018
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000