VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 19, 2006· Updated Apr 16, 2026

CVE-2006-4866

CVE-2006-4866

Description

Buffer overflow in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via a long extension argument.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

74
  • Apple Inc./Mac OS X38 versions
    cpe:2.3:o:apple:mac_os_x:10.0:*:*:*:*:*:*:*+ 37 more
    • cpe:2.3:o:apple:mac_os_x:10.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.3.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.4.7:*:*:*:*:*:*:*
  • Apple Inc./Mac OS X Server34 versions
    cpe:2.3:o:apple:mac_os_x_server:10.0:*:*:*:*:*:*:*+ 33 more
    • cpe:2.3:o:apple:mac_os_x_server:10.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.7:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.3.9:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.4.7:*:*:*:*:*:*:*
  • Roxio/Toast Titanium 7llm-fuzzy
  • Apple Inc./OS Xllm-fuzzy

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"Missing bounds checking on the extension argument passed to kextload allows a buffer overflow, and use of user-controlled input as a format string argument to fprintf allows a format string vulnerability."

Attack vector

A local attacker supplies a long extension argument (e.g., 1022 or more 'A' characters) to kextload. Because kextload is invoked with root privileges by helper applications such as Roxio Toast Titanium's TDIXSupport, the overflow overwrites critical memory and can lead to arbitrary code execution at root level [ref_id=1]. The format string variant is triggered by passing format specifiers (e.g., `%x`) as the kext path argument, causing kextload to read from invalid memory addresses [ref_id=1].

Affected code

The vulnerability resides in the kextload program, specifically in the handling of command-line arguments. The advisory identifies the format string bug in `prelink.c` where `fprintf(stderr, kext_path)` is called without a format string [ref_id=1]. The buffer overflow occurs when kextload copies an overly long extension argument into a fixed-size buffer without bounds checking [ref_id=1].

What the fix does

The advisory does not include a patch or describe a vendor fix. It states only that Apple was notified [ref_id=1]. No remediation details are available in the supplied bundle.

Preconditions

  • authThe attacker must be a local user on the affected OS X system.
  • configkextload must be invoked with root privileges, either directly via sudo or indirectly through a helper application such as Roxio Toast Titanium's TDIXSupport.
  • inputThe attacker supplies a maliciously crafted command-line argument (long string or format specifiers) to kextload.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.