Description
Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow vulnerability that could be locally exploited which could lead to an escalation of privileges (EoP) and unauthorised ring0 access to the operating system. The buffer overflow is related to insufficient checking of parameters to the "OSMalloc" and "copyin" kernel API calls.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94352
Various Sources x_refsource_misc
https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-but-little-snitch-aint-one
Scores
CVSS v3
8.4
EPSS
0.0042
EPSS Percentile
33.6%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
Status
published
Products (22)
n/a/Little Snitch version 3.0 through 3.6.1
Little Snitch version 3.0 through 3.6.1
obdev/little_snitch
3.0
obdev/little_snitch
3.0.1
obdev/little_snitch
3.0.2
obdev/little_snitch
3.0.3
obdev/little_snitch
3.0.4
obdev/little_snitch
3.1
obdev/little_snitch
3.1.1
obdev/little_snitch
3.3
obdev/little_snitch
3.3.1
... and 12 more
Published
Nov 15, 2016
Tracked Since
Feb 18, 2026