CVE-2014-4404

HIGH KEV

Mac OS X IOKit Keyboard Driver Root Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2014-4404 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2022. EIP tracks 2 public exploits from researchers including Metasploit, Ian Beer, joev, including a Metasploit module exploits/osx/local/iokit_keyboard_root.

AI-analyzed exploit summary This Metasploit module exploits a heap overflow in the IOHIKeyboardMapper::parseKeyMapping function in Mac OS X before 10.10, combined with a kASLR bypass via an IORegistry bug, to achieve root privilege escalation. It writes a binary exploit and payload to temporary files, executes them, and is tested on Mavericks 10.9.5.

Description

Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalosx
https://www.exploit-db.com/exploits/35440

This Metasploit module exploits a heap overflow in the IOHIKeyboardMapper::parseKeyMapping function in Mac OS X before 10.10, combined with a kASLR bypass via an IORegistry bug, to achieve root privilege escalation. It writes a binary exploit and payload to temporary files, executes them, and is tested on Mavericks 10.9.5.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Mac OS X before 10.10 (specifically tested on 10.9.5 Mavericks)
No auth needed
Prerequisites: Local access to a vulnerable Mac OS X system · Ability to write and execute files in /tmp
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Ian Beer, joev · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/iokit_keyboard_root.rb

This Metasploit module exploits a heap overflow in IOHIKeyboardMapper::parseKeyMapping (CVE-2014-4404) to achieve local privilege escalation on Mac OS X before 10.10. It leverages a kASLR bypass via IORegistry and executes a payload to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Mac OS X < 10.10 (Mavericks and earlier)
Auth required
Prerequisites: Local shell access on vulnerable Mac OS X system · Non-root user privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT204659
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT6441
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1030866
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/69947
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT6442
Broken Link vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
Broken Link vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-09/0107.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/69882
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/96111
Mailing List, Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT6535
Broken Link vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-09/0106.html

Scores

CVSS v3 7.8
EPSS 0.4877
EPSS Percentile 98.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-02-10
VulnCheck KEV 2022-02-10
InTheWild.io 2022-02-10
ENISA EUVD EUVD-2014-4331
CWE
CWE-787
Status published
Products (3)
apple/iphone_os < 8.0
apple/mac_os_x < 10.10.0
apple/tvos < 7.0
Published Sep 18, 2014
KEV Added Feb 10, 2022
Tracked Since Feb 18, 2026