Unrated severityNVD Advisory· Published Apr 10, 2015· Updated May 6, 2026

CVE-2015-1136

Description

Use-after-free vulnerability in CoreAnimation in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code by leveraging improper use of a mutex.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in CoreAnimation in Apple OS X before 10.10.3 allows remote code execution via improper mutex use.

Vulnerability

A use-after-free vulnerability exists in the CoreAnimation framework of Apple OS X Yosemite versions v10.10 through v10.10.2. The flaw arises from improper use of a mutex, leading to a use-after-free condition when processing certain inputs. This allows an attacker to corrupt memory and potentially execute arbitrary code.

Exploitation

An attacker can exploit this vulnerability remotely by delivering crafted content (e.g., via a web page or email) that triggers the use-after-free in CoreAnimation. No authentication is required; the attacker only needs to convince the user to open the malicious content. The improper mutex handling creates a race window that can be leveraged to access freed memory.

Impact

Successful exploitation grants the attacker arbitrary code execution in the context of the affected user. This can lead to full system compromise, including data theft, installation of malware, or further privilege escalation.

Mitigation

Apple addressed this issue in OS X Yosemite v10.10.3, released on April 8, 2015 [1]. Users should update via Software Update or download the standalone update. No workarounds are available for unpatched systems. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References

About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <10.10.3
Apple Inc./OS Xllm-fuzzy
Range: <10.10.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/73982nvdExploitThird Party AdvisoryVDB Entry
lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlnvdVendor Advisory
www.securitytracker.com/id/1032048nvdThird Party AdvisoryVDB Entry
support.apple.com/HT204659nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000