CVE-2014-4405
Description
IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted key-mapping properties.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted application can exploit a NULL pointer dereference in IOHIDFamily to execute arbitrary code with elevated privileges on iOS before 8 and Apple TV before 7.
Vulnerability
IOHIDFamily in Apple iOS before 8 and Apple TV before 7 contains a vulnerability that allows a NULL pointer dereference when an application provides crafted key-mapping properties [1][4]. This issue is reachable by any third-party application that can supply malicious key-mapping properties to the IOHIDFamily subsystem. Affected versions include iOS 7.x and earlier, and Apple TV 6.x and earlier.
Exploitation
An attacker must have the ability to install and run a crafted application on the target device. The application delivers specially crafted key-mapping properties to the IOHIDFamily subsystem, triggering a NULL pointer dereference. No additional authentication or user interaction beyond the initial installation and execution of the malicious application is required. The attacker can then leverage the resulting memory corruption to achieve arbitrary code execution in a privileged kernel context.
Impact
Successful exploitation results in arbitrary code execution in a privileged context (kernel level), which can lead to full compromise of the device. Additionally, the NULL pointer dereference alone can cause a denial of service (system crash). An attacker could potentially install unauthorized software, access sensitive data, or monitor user activity.
Mitigation
Apple addressed this issue in iOS 8 [1] and Apple TV 7 [4]. Users should update their devices to iOS 8 or later, or Apple TV 7 or later. No workaround is available for affected versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.1.2
- cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*range: <=6.2
- cpe:2.3:o:apple:tvos:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:6.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:tvos:6.1.2:*:*:*:*:*:*:*
- Range: <8
- Range: <7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlnvdVendor Advisory
- support.apple.com/HT204659nvdVendor Advisory
- archives.neohapsis.com/archives/bugtraq/2014-09/0106.htmlnvd
- archives.neohapsis.com/archives/bugtraq/2014-09/0107.htmlnvd
- archives.neohapsis.com/archives/bugtraq/2014-10/0101.htmlnvd
- support.apple.com/kb/HT6441nvd
- support.apple.com/kb/HT6442nvd
- www.securityfocus.com/bid/69882nvd
- www.securityfocus.com/bid/69938nvd
- www.securitytracker.com/id/1030866nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/96109nvd
- support.apple.com/kb/HT6535nvd
News mentions
0No linked articles in our index yet.