Login Sign Up

CVE-2020-9996

7.8 HIGH

📋 TL;DR

CVE-2020-9996 is a use-after-free vulnerability in Apple operating systems that allows malicious applications to elevate privileges. This affects macOS, iOS, and iPadOS users running vulnerable versions. Successful exploitation could give attackers higher system permissions than intended.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
Versions: Versions prior to macOS Big Sur 11.0.1, iOS 14.0, and iPadOS 14.0
Operating Systems: macOS, iOS, iPadOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable. Requires local access or malicious application installation.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing installation of persistent malware, data theft, and lateral movement across networks.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass application sandboxes, access protected system resources, and install additional malicious payloads.

🟢

If Mitigated

Limited impact with proper application vetting and sandboxing, though still potentially allowing unauthorized access to some system resources.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to install/run malicious application. Technical details available in public disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.0.1, iOS 14.0, iPadOS 14.0

Vendor Advisory: https://support.apple.com/en-us/HT211850

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update. 2. Install available updates for macOS, iOS, or iPadOS. 3. Restart device when prompted.

🔧 Temporary Workarounds

Application Restriction

all

Restrict installation of applications from untrusted sources to prevent malicious app execution.

For macOS: System Preferences > Security & Privacy > General > Allow apps downloaded from: App Store

🧯 If You Can't Patch

  • Implement strict application allowlisting to prevent unauthorized app execution
  • Use endpoint detection and response (EDR) tools to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check system version: macOS - About This Mac; iOS/iPadOS - Settings > General > About

Check Version:

macOS: sw_vers -productVersion; iOS/iPadOS: Settings > General > About > Version

Verify Fix Applied:

Verify system version is macOS 11.0.1+, iOS 14.0+, or iPadOS 14.0+

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Suspicious process creation with elevated privileges
  • Application sandbox violations

Network Indicators:

  • Unusual outbound connections from system processes
  • Command and control traffic from elevated processes

SIEM Query:

process_creation where parent_process_name contains 'App' and process_integrity_level changed

📊 Metadata

CVE ID: CVE-2020-9996
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: December 8, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9996, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)