VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 18, 2014· Updated May 6, 2026

CVE-2014-4461

CVE-2014-4461

Description

The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly validate IOSharedDataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A kernel vulnerability in iOS 8.x and Apple TV 7.x allows arbitrary code execution via a crafted application by improperly validating IOSharedDataQueue object metadata.

Vulnerability

The kernel in Apple iOS before version 8.1.1 and Apple TV before version 7.0.2 does not properly validate IOSharedDataQueue object metadata [2][4]. This allows a crafted application to trigger a memory corruption issue in kernel space. The vulnerability is present in the XNU kernel used by these platforms and can be exploited by any installed application without additional privileges.

Exploitation

An attacker requires the ability to run a crafted application on the target device. The application sends specially crafted IOSharedDataQueue metadata to the kernel, exploiting the insufficient validation. No additional network access or user interaction beyond installing the app is needed. The kernel processing path is reached through standard IODataQueue APIs.

Impact

Successful exploitation allows the attacker to execute arbitrary code within the kernel context (ring 0), granting full control over the device. This includes the ability to read and write kernel memory, install persistent code, access sensitive user data, and bypass all security mechanisms such as sandboxing and code signing.

Mitigation

Apple addressed this issue by releasing iOS 8.1.1 and Apple TV 7.0.2, which include improved validation of IOSharedDataQueue metadata [2][4]. Users should update affected devices to these or later versions. No workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About the security content of iOS 8.1.1 - Apple Support
  2. About the security content of Apple TV 7.0.2 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

20
  • Apple Inc./Iphone Os4 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=8.1
    • cpe:2.3:o:apple:iphone_os:8.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:8.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:8.0.2:*:*:*:*:*:*:*
  • Apple Inc./Mac Os X4 versions
    cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*range: <=10.10.1
    • cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.9.5:*:*:*:*:*:*:*
  • Apple Inc./tvOS10 versions
    cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*range: <=7.0.1
    • cpe:2.3:o:apple:tvos:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:6.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:tvos:7.0:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <8.1.1
  • Apple Inc./Apple TVllm-fuzzy
    Range: <7.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.