Login Sign Up

CVE-2020-27930

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2020-27930 is a memory corruption vulnerability in Apple's font processing that allows arbitrary code execution when processing malicious fonts. Attackers can exploit this to run code on affected devices, potentially compromising the entire system. This affects multiple Apple operating systems including macOS, iOS, iPadOS, and watchOS.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
  • watchOS
  • Safari
Versions: Versions before macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, watchOS 7.1, and specific older versions listed in advisories
Operating Systems: macOS, iOS, iPadOS, watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. The vulnerability is triggered when processing malicious fonts, which can occur through web content, documents, or font files.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Watchos by Apple

View all CVEs affecting Watchos →

Watchos by Apple

View all CVEs affecting Watchos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the device, enabling data theft, persistence installation, and lateral movement within networks.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, or ransomware deployment on vulnerable Apple devices.

🟢

If Mitigated

Limited impact with proper network segmentation and endpoint protection, potentially only affecting isolated systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Public proof-of-concept exists via Packet Storm. Exploitation requires user interaction (viewing malicious content) but no authentication. Font processing vulnerabilities are commonly exploited in real attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.0.1, iOS 14.2, iPadOS 14.2, watchOS 7.1, and security updates for older versions

Vendor Advisory: https://support.apple.com/en-us/HT211928

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update on macOS. 2. Install all available updates. 3. Restart the device when prompted. For iOS/iPadOS: Settings > General > Software Update. For watchOS: Use iPhone Watch app > General > Software Update.

🔧 Temporary Workarounds

Disable automatic font loading in Safari

macos

Prevent Safari from automatically loading web fonts which could be malicious

Safari > Preferences > Advanced > uncheck 'Never use font sizes smaller than' (partial mitigation)

Use content filtering

all

Block known malicious domains and font file downloads at network perimeter

🧯 If You Can't Patch

  • Segment Apple devices from critical network resources using firewall rules
  • Implement application allowlisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check system version against patched versions: macOS: About This Mac > Overview; iOS/iPadOS: Settings > General > About > Version; watchOS: Watch app on iPhone > General > About > Version

Check Version:

macOS: sw_vers -productVersion; iOS/iPadOS: Settings app; watchOS: Watch app

Verify Fix Applied:

Verify system version matches or exceeds patched versions listed in Apple advisories

📡 Detection & Monitoring

Log Indicators:

  • Unexpected font loading processes
  • Safari/WebKit crashes with font-related errors
  • Unusual process execution following font file access

Network Indicators:

  • Downloads of font files from untrusted sources
  • Font loading from external domains in web traffic

SIEM Query:

process_name:safari AND (event_type:crash OR cmdline:*font*) OR file_path:*.ttf OR file_path:*.otf AND process_creation

📊 Metadata

CVE ID: CVE-2020-27930
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: December 8, 2020
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27930, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)