Login Sign Up

CVE-2020-27918

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-27918 is a use-after-free vulnerability in Apple's WebKit browser engine that allows arbitrary code execution when processing malicious web content. Attackers can exploit this by tricking users into visiting specially crafted websites, potentially taking full control of affected devices. This affects multiple Apple operating systems and applications including macOS, iOS, iPadOS, watchOS, tvOS, Safari, and iCloud for Windows.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
  • watchOS
  • tvOS
  • Safari
  • iCloud for Windows
  • iTunes for Windows
Versions: Versions prior to macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, watchOS 7.1, tvOS 14.2, Safari 14.0.1, iCloud for Windows 11.5, iTunes 12.11 for Windows
Operating Systems: macOS, iOS, iPadOS, watchOS, tvOS, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected Apple products are vulnerable. The vulnerability exists in WebKit, which is used by Safari and other Apple applications that render web content.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Icloud by Apple

View all CVEs affecting Icloud →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Itunes by Apple

View all CVEs affecting Itunes →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Safari by Apple

View all CVEs affecting Safari →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

Webkitgtk by Webkitgtk

View all CVEs affecting Webkitgtk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the device, allowing data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malicious website delivers exploit payload that executes arbitrary code in browser context, potentially stealing credentials, session cookies, or installing malware.

🟢

If Mitigated

With proper patching and security controls, impact is limited to denial of service or browser crash at most.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Public references and disclosures suggest exploit code may be available in security research communities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, watchOS 7.1, tvOS 14.2, Safari 14.0.1, iCloud for Windows 11.5, iTunes 12.11 for Windows

Vendor Advisory: https://support.apple.com/en-us/HT211931

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update on macOS. 2. Open Settings > General > Software Update on iOS/iPadOS. 3. Open Settings > General > Software Update on watchOS. 4. Open Settings > System > Software Updates on tvOS. 5. For Windows applications, update through Apple Software Update or download latest versions from Apple website.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript in Safari to prevent exploitation through web content

Safari > Preferences > Security > uncheck 'Enable JavaScript'

Use Alternative Browser

all

Use browsers not based on WebKit engine until patched

🧯 If You Can't Patch

  • Implement web content filtering to block known malicious sites and suspicious JavaScript
  • Restrict user access to untrusted websites through proxy or firewall policies

🔍 How to Verify

Check if Vulnerable:

Check current OS/application version against affected versions list. On macOS: About This Mac > Overview. On iOS: Settings > General > About > Version.

Check Version:

macOS: sw_vers -productVersion, iOS: Settings > General > About > Version

Verify Fix Applied:

Verify version numbers match or exceed patched versions: macOS 11.0.1+, iOS 14.2+, iPadOS 14.2+, watchOS 7.1+, tvOS 14.2+, Safari 14.0.1+, iCloud for Windows 11.5+, iTunes for Windows 12.11+

📡 Detection & Monitoring

Log Indicators:

  • Browser crash logs with WebKit process termination
  • Unexpected browser extensions or processes
  • Suspicious network connections from browser processes

Network Indicators:

  • Outbound connections to known exploit hosting domains
  • Unusual JavaScript execution patterns in web traffic

SIEM Query:

source="*browser*" AND (event="crash" OR event="process_creation") AND process_name="WebKit"

📊 Metadata

CVE ID: CVE-2020-27918
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: December 8, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27918, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)