CVE-2019-6224
Description
A remote buffer overflow in FaceTime on Apple devices could allow arbitrary code execution; fixed in iOS 12.1.3, macOS 10.14.3, tvOS 12.1.2, and watchOS 5.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote buffer overflow in FaceTime on Apple devices could allow arbitrary code execution; fixed in iOS 12.1.3, macOS 10.14.3, tvOS 12.1.2, and watchOS 5.1.3.
Vulnerability
A buffer overflow exists in the FaceTime component of Apple operating systems, allowing a remote attacker to trigger arbitrary code execution. The issue is addressed with improved memory handling in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, and watchOS 5.1.3 [1][2][3][4].
Exploitation
An attacker can exploit this vulnerability by initiating a FaceTime call to a targeted device, requiring only network access to reach the victim. No explicit user interaction is needed beyond receiving the call. The buffer overflow occurs during call handling, enabling the attacker to overwrite memory.
Impact
Successful exploitation allows remote arbitrary code execution on the targeted device, potentially giving the attacker full control over the system. This can lead to data theft, surveillance, or further compromise of the device and local network.
Mitigation
Apple released fixes on January 22, 2019, in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, and watchOS 5.1.3 [1][2][3][4]. Users should update to these or later versions. No workarounds are documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
- About the security content of iOS 12.1.3 - Apple Support
- About the security content of macOS Mojave 10.14.3, Security Update 2019-001 High Sierra, Security Update 2019-001 Sierra - Apple Support
- About the security content of tvOS 12.1.2 - Apple Support
- About the security content of watchOS 5.1.3 - Apple Support
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Range: <10.14.3
<12.1.2+ 1 more
- (no CPE)range: <12.1.2
- (no CPE)range: unspecified
<12.1.3+ 1 more
- (no CPE)range: <12.1.3
- (no CPE)range: unspecified
- Range: unspecified
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Buffer overflow in `VCAudioReceiver_SplitRedPacket` when splitting RED packets, leading to memory corruption in Metal texture processing."
Attack vector
A remote attacker initiates a FaceTime call to the target; if the target accepts the call, the attacker sends a malformed RTP video stream [ref_id=1]. The root cause is likely an overflow when splitting RED (Redundant Audio Data) packets in `VCAudioReceiver_SplitRedPacket`, which triggers a memory corruption in the Metal texture backing path [ref_id=1]. The crash backtrace shows `_platform_memmove` called from `VCAudioRedBuilder_UpdateAudioPacketWithRedPayload`, indicating a buffer overflow during packet processing [ref_id=1]. No authentication is required beyond the victim accepting the FaceTime call.
Affected code
The vulnerability resides in the FaceTime audio/video processing pipeline, specifically in `VCAudioReceiver_SplitRedPacket` and `VCAudioRedBuilder_UpdateAudioPacketWithRedPayload` within the AVConference framework [ref_id=1]. The crash occurs in CoreVideo's `CVMetalTextureBacking::releaseBackingUsage()` during texture processing of a malformed RTP video stream [ref_id=1].
What the fix does
The advisory states the issue was fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2, and watchOS 5.1.3 with "improved memory handling" [ref_id=1]. No patch diff is provided in the bundle, but the fix likely adds bounds checking to the RED packet splitting logic in `VCAudioReceiver_SplitRedPacket` to prevent the overflow during `_platform_memmove` [ref_id=1].
Preconditions
- networkVictim must accept an incoming FaceTime call from the attacker
- inputAttacker must be able to send a crafted RTP video stream to the victim
Reproduction
1. Add sandbox exceptions to `/System/Library/Sandbox/Profiles/com.apple.avconferenced.sb` and `com.apple.identityservicesd.sb` to allow file-read/write under `/out`. 2. Compile `video-replay-avc.cpp` as a dynamic library, copy to `/usr/lib/libSP.so`, and codesign it. 3. Compile `video-replay-identity.cpp` as a dynamic library, copy to `/usr/lib/libSP_IDS.so`, and codesign it. 4. Use `insert_dylib` to inject `libSP.so` into `AVConference` and `libSP_IDS.so` into `IDSFoundation`, then replace the original binaries and codesign them. 5. Extract `out.zip` into `/out` and make it world-readable. 6. Kill `avconferenced` and `identityservicesd` processes. 7. Make a FaceTime call to the target [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- www.exploit-db.com/exploits/46433/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/106739mitrevdb-entryx_refsource_BID
- support.apple.com/HT209443mitrex_refsource_CONFIRM
- support.apple.com/HT209446mitrex_refsource_CONFIRM
- support.apple.com/HT209447mitrex_refsource_CONFIRM
- support.apple.com/HT209448mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.