CVE-2014-8835
Description
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XPC type confusion in libxpc in OS X before 10.10.2 allows local attackers to execute arbitrary code via a crafted dictionary to sysmond.
Vulnerability
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type. This allows an attacker to provide a crafted dictionary to sysmond, causing an XPC type confusion. Affected versions include OS X Mavericks v10.9.5 and OS X Yosemite v10.10 and v10.10.1 [1].
Exploitation
An attacker with local access to the system can craft a malicious dictionary intended for sysmond, exploiting the type confusion in xpc_data_get_bytes. No authentication is required beyond local user access. The attack sequence involves sending the crafted dictionary to sysmond, which triggers the type confusion and leads to code execution.
Impact
Successful exploitation allows arbitrary code execution in the context of the sysmond process, which runs with elevated privileges. This can lead to full compromise of the system, including unauthorized data access and control.
Mitigation
Apple addressed this vulnerability in OS X Yosemite v10.10.2 and Security Update 2015-001, released on January 27, 2015 [1]. Users should update to OS X 10.10.2 or later. No workaround is available; upgrading is the recommended mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.10.1:*:*:*:*:*:*:*
- Range: <10.10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.exploit-db.com/exploits/35742/nvdExploit
- www.securityfocus.com/bid/71992nvdExploit
- code.google.com/p/google-security-research/issues/detailnvdExploit
- lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlnvdVendor Advisory
- support.apple.com/HT204244nvdVendor Advisory
- packetstormsecurity.com/files/135701/OS-X-Sysmond-XPC-Type-Confusion-Privilege-Escalation.htmlnvd
- www.securitytracker.com/id/1031650nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/100530nvd
News mentions
0No linked articles in our index yet.