Login Sign Up

CVE-2019-8662

9.8 CRITICAL
Denial of Service Deserialization

📋 TL;DR

CVE-2019-8662 is a use-after-free vulnerability in Apple's NSDictionary deserialization that allows an attacker to execute arbitrary code or cause application crashes. It affects iOS, macOS, tvOS, and watchOS devices running outdated versions. Attackers can exploit this by tricking users into processing maliciously crafted data.

💻 Affected Systems

Products:
  • iOS
  • macOS
  • tvOS
  • watchOS
Versions: Versions before iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3
Operating Systems: iOS, macOS, tvOS, watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running affected versions are vulnerable when processing untrusted NSDictionary data.

📦 What is this software?

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, or persistent malware installation.

🟠

Likely Case

Application crashes (denial of service) or limited code execution in sandboxed contexts.

🟢

If Mitigated

No impact if patched; unpatched systems remain vulnerable to exploitation attempts.

🌐 Internet-Facing: MEDIUM - Requires user interaction (processing malicious data) but can be delivered via web or network services.
🏢 Internal Only: LOW - Primarily requires local access or specific application interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious NSDictionary data, but no public proof-of-concept has been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3

Vendor Advisory: https://support.apple.com/HT210346

Restart Required: Yes

Instructions:

1. Open Settings (iOS/watchOS/tvOS) or System Preferences (macOS). 2. Navigate to Software Update. 3. Download and install the latest available update. 4. Restart the device when prompted.

🔧 Temporary Workarounds

Disable untrusted data processing

all

Avoid processing NSDictionary data from untrusted sources in applications.

Not applicable - configuration-based workaround

🧯 If You Can't Patch

  • Isolate affected devices from untrusted networks and data sources.
  • Implement application whitelisting to prevent execution of potentially malicious code.

🔍 How to Verify

Check if Vulnerable:

Check the device's operating system version against the affected versions list.

Check Version:

iOS/watchOS/tvOS: Settings > General > About > Version. macOS: Apple menu > About This Mac.

Verify Fix Applied:

Confirm the device is running iOS 12.4+, macOS 10.14.6+, tvOS 12.4+, or watchOS 5.3+.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes related to NSDictionary processing
  • Unexpected memory access errors in system logs

Network Indicators:

  • Unusual data transfers to/from devices running vulnerable versions

SIEM Query:

source="apple_system_logs" AND (event="crash" OR event="memory_error") AND process="*NSDictionary*"

📊 Metadata

CVE ID: CVE-2019-8662
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: December 18, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-8662, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)