Unrated severityNVD Advisory· Published Jan 30, 2015· Updated May 6, 2026

CVE-2014-4485

Description

Buffer overflow in the XML parser in Foundation in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XML document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Buffer overflow in Apple's XML parser lets remote attackers execute arbitrary code via a crafted XML document on iOS, OS X, and Apple TV.

Vulnerability

A buffer overflow vulnerability exists in the XML parser of Foundation in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3. The issue is triggered when the parser processes a specially crafted XML document, leading to a buffer overflow that can result in arbitrary code execution or a denial of service (application crash).

Exploitation

An attacker can exploit this vulnerability by persuading a user to open a malicious XML document, either via a web page, email attachment, or other means. No additional authentication or special network position is required beyond delivering the crafted XML content to the target device. The vulnerable code path is reachable through any application that uses the Foundation XML parser on the affected systems.

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the affected application, potentially gaining full control of the device. Alternatively, an attacker could cause the application to crash, resulting in a denial of service. The scope of compromise includes information disclosure, data corruption, and complete system takeover on the affected platforms.

Mitigation

Apple has addressed this vulnerability in iOS 8.1.3, OS X Yosemite v10.10.2 (and Security Update 2015-001), and Apple TV 7.0.3. Users should update to the latest available versions as listed in the referenced security advisories [1][2][3]. No workarounds have been disclosed, and there is no evidence that this CVE is listed on the CISA KEV.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=8.1.2
Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.10.1
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <=7.0.1
Apple Inc./iOSllm-fuzzy
Range: <8.1.3
Apple Inc./OS Xllm-fuzzy
Range: <10.10.2
Apple Inc./Apple TVllm-fuzzy
Range: <7.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2015/Jan/msg00000.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlnvdVendor Advisory
support.apple.com/HT204244nvdVendor Advisory
support.apple.com/HT204245nvdVendor Advisory
support.apple.com/HT204246nvdVendor Advisory
www.securitytracker.com/id/1031650nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000