VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 19, 2013· Updated Apr 29, 2026

CVE-2013-5145

CVE-2013-5145

Description

A missing authorization check in kextd on iOS before 7 allows local users to load or unload kernel extensions via a crafted IPC message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing authorization check in kextd on iOS before 7 allows local users to load or unload kernel extensions via a crafted IPC message.

Vulnerability

The vulnerability resides in kextd, the kernel extension daemon in Apple iOS. Prior to iOS 7, kextd failed to properly verify authorization for Inter-Process Communication (IPC) messages. This allows a local user to craft a malicious IPC message that can either load or unload kernel extensions. The issue affects all iOS devices running versions before iOS 7, including iPhone 4 and later, iPod touch (5th generation) and later, and iPad 2 and later [1].

Exploitation

An attacker with local access to the device can exploit this by sending a specially crafted IPC message to kextd. No additional authentication or elevated privileges are required beyond the ability to run code as a local user. The attacker does not need physical access to the device if they can execute code remotely as a local user (e.g., through a previous compromise). The steps involve constructing the malicious IPC message and delivering it to kextd, which then performs the requested operation without proper authorization checks.

Impact

Successful exploitation allows the attacker to load or unload kernel extensions, which run at the highest privilege level (kernel space). This can lead to arbitrary code execution with kernel privileges, enabling the attacker to bypass system security controls, install persistent malware, or gain complete control over the device. The impact is a full compromise of confidentiality, integrity, and availability of the system.

Mitigation

Apple addressed this vulnerability in iOS 7, which was released on September 18, 2013. Users are advised to update to iOS 7 or later. No workarounds are available for affected versions. The issue is not listed on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog as of the current date. [1]

References
  1. About the security content of iOS 7 - Apple Support

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

49
  • Apple Inc./Iphone OS48 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 47 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=6.1.4
    • cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:5.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:5.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:5.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.1.3:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.