CVE-2019-8787

Vulnerability

An out-of-bounds read vulnerability exists in multiple Apple operating systems, addressed by improved input validation. The issue affects iOS before 13.2, iPadOS before 13.2, macOS Catalina before 10.15.1, tvOS before 13.2, and watchOS before 6.1 [1][2][3][4]. It is reachable when processing remotely supplied data without requiring particular configuration changes.

Exploitation

A remote attacker can trigger the out-of-bounds read by sending specially crafted data to the vulnerable component. No authentication or user interaction is needed, and the attacker does not require any particular network position beyond the ability to deliver network packets to the targeted device [1][2][3][4].

Impact

Successful exploitation allows the attacker to read memory contents beyond the intended buffer, leading to information disclosure. The impact is limited to memory leak; there is no evidence of code execution or privilege escalation from this vulnerability [1][2][3][4].

Mitigation

Apple fixed this vulnerability in: - iOS 13.2 and iPadOS 13.2 (released October 28, 2019) [2] - macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006 (released October 29, 2019) [1] - tvOS 13.2 (released October 28, 2019) [4] - watchOS 6.1 (released October 29, 2019) [3]

Users should update to the latest available version for their device. No workarounds are published, and this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.