CVE-2020-27950

CVSS 5.5 MEDIUMEPSS 16.5%● KEVCWE-665

In short

A memory initialization flaw allows malicious apps to read sensitive kernel memory that should be hidden. This could expose passwords, encryption keys, or other confidential data stored in the system.

Technical detail

Improper initialization of memory regions (CWE-665) permits a local malicious application to disclose kernel memory contents without proper access controls. The vulnerability requires the attacker to execute code on the target device; successful exploitation may leak sensitive kernel data including cryptographic material or process information.

Summary generated and translated by AI from the official description.

A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to disclose kernel memory.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · watchOS

public PoCs found — 3

githubgithub.com/synacktiv/CVE-2020-27950★ 34 githubgithub.com/lyonzon2/browser-crash-tool★ 5 cve_referencepacketstormsecurity.com/files/161296/XNU-Kernel-Mach-Message-Trailers-Memory-Disclosure.htmlunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References