CVE-2019-8662

Vulnerability

A use-after-free vulnerability exists in the deserialization of NSDictionary objects in Foundation framework. When an application deserializes an untrusted NSDictionary, the memory management can be mishandled, leading to a use-after-free condition. This issue affects iOS versions prior to 12.4, macOS Mojave prior to 10.14.6, tvOS prior to 12.4, and watchOS prior to 5.3 [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted NSDictionary to a vulnerable application that deserializes untrusted data. No authentication or special privileges are required if the application processes external input. The attacker must deliver the crafted object via a vector such as a malicious app, email attachment, or web content. Upon deserialization, the use-after-free is triggered, potentially allowing the attacker to control program flow.

Impact

Successful exploitation could lead to arbitrary code execution in the context of the affected application, or cause a denial of service via application crash. The impact is limited to the sandbox of the application, but could be escalated if the application has elevated privileges.

Mitigation

Apple addressed this issue with improved checks in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, and watchOS 5.3, all released on July 22, 2019 [1][2][3][4]. Users should update to the latest available versions. No workarounds are documented. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.