Unrated severityNVD Advisory· Published Jan 30, 2015· Updated May 6, 2026

CVE-2014-4489

Description

IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly initialize event queues, which allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null pointer dereference in IOHIDFamily event queue initialization lets a crafted app execute arbitrary code in kernel context on Apple iOS, OS X, and Apple TV.

Vulnerability

IOHIDFamily in Apple iOS before 8.1.3, OS X before 10.10.2, and Apple TV before 7.0.3 does not properly initialize event queues, leading to a NULL pointer dereference. A crafted application can trigger the uninitialized pointer, causing memory corruption that leads to arbitrary code execution with kernel privileges or denial of service.

Exploitation

An attacker must convince a user to run a crafted application on the vulnerable system. No special network position or authentication beyond local execution is required. The exploit sends specific input events that lead to dereferencing a NULL pointer in the IOHIDFamily kernel extension.

Impact

Successful exploitation allows arbitrary code execution in kernel (privileged) context. This gives the attacker full control over the device, including ability to install software, modify system files, or access sensitive data. Alternatively, the bug may cause a denial of service via kernel panic.

Mitigation

For iOS, the fix was released in iOS 8.1.3 [2]; for OS X, in OS X Yosemite v10.10.2 and Security Update 2015-001 [1]; for Apple TV, in Apple TV 7.0.3 [3]. Users should update affected devices to these versions. No workaround is available for unpatched systems.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=8.1.2
Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.10.1
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <=7.0.1
Apple Inc./iOSllm-fuzzy
Range: <8.1.3
Apple Inc./OS Xllm-fuzzy
Range: <10.10.2
Apple Inc./Apple TVllm-fuzzy
Range: <7.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2015/Jan/msg00000.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlnvdVendor Advisory
support.apple.com/HT204244nvdVendor Advisory
support.apple.com/HT204245nvdVendor Advisory
support.apple.com/HT204246nvdVendor Advisory
www.securitytracker.com/id/1031650nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000