CVE-2020-9975

7.8 HIGH

📋 TL;DR

This is a use-after-free vulnerability in Apple operating systems that allows an application to execute arbitrary code with kernel privileges. It affects macOS, iOS, iPadOS, tvOS, and watchOS. Successful exploitation gives attackers full system control.

💻 Affected Systems

Products:

macOS
iOS
iPadOS
tvOS
watchOS

Versions: Versions prior to macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0, iPadOS 14.0

Operating Systems: macOS, iOS, iPadOS, tvOS, watchOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level privileges, allowing installation of persistent malware, data theft, and lateral movement.

🟠

Likely Case

Local privilege escalation leading to full system control by malicious applications or users.

🟢

If Mitigated

No impact if systems are fully patched and application execution is restricted.

🌐 Internet-Facing: LOW (requires local access or malicious application execution)

🏢 Internal Only: MEDIUM (requires local access but could be exploited by malicious insiders or compromised applications)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or ability to execute malicious code on target system. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.0.1, tvOS 14.0, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, watchOS 7.0, iOS 14.0, iPadOS 14.0

Vendor Advisory: https://support.apple.com/en-us/HT211843

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install all available security updates. 3. Restart the device when prompted.

🔧 Temporary Workarounds

Application Restriction

macOS

Restrict execution of untrusted applications to reduce attack surface

sudo spctl --master-enable
sudo spctl --enable

🧯 If You Can't Patch

Implement strict application control policies to prevent execution of untrusted code
Segment affected systems from critical network resources and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check system version against affected versions list. On macOS: sw_vers -productVersion

Check Version:

macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify system version is equal to or newer than patched versions listed in fix_official.patch_version

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected privilege escalation attempts
Suspicious process creation with elevated privileges

Network Indicators:

Unusual outbound connections from system processes
Lateral movement attempts from affected systems

SIEM Query:

process where parent_process_name in ('kernel_task', 'launchd') and process_name not in (expected_system_processes)

📊 Metadata

CVE ID: CVE-2020-9975

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: April 2, 2021

Last Updated: November 21, 2024

🔗 References

https://support.apple.com/en-us/HT211843 Vendor Advisory
https://support.apple.com/en-us/HT211844 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory
https://support.apple.com/en-us/HT211843 Vendor Advisory
https://support.apple.com/en-us/HT211844 Vendor Advisory
https://support.apple.com/en-us/HT211850 Vendor Advisory
https://support.apple.com/en-us/HT211931 Vendor Advisory
https://support.apple.com/en-us/HT212011 Vendor Advisory