CVE-2019-8506

HIGH KEV

iCloud < 7.11 - Remote Code Execution via Type Confusion

Title source: llm

Exploitation Summary

CVE-2019-8506 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 4, 2022. EIP tracks 1 public exploit from researchers including Google Security Research.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in JavaScriptCore's inferred type mechanism to bypass watchpoints, allowing arbitrary memory corruption. It manipulates the regExpMatchesArrayWithGroupsStructure to achieve this by forcing the engine into a 'bad time' state.

Description

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.2, tvOS 12.2, watchOS 5.2, Safari 12.1, iTunes 12.9.4 for Windows, iCloud for Windows 7.11. Processing maliciously crafted web content may lead to arbitrary code execution.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · javascriptdosmultiple

https://www.exploit-db.com/exploits/46647

View Code ZIP pw:eip

This exploit leverages a type confusion vulnerability in JavaScriptCore's inferred type mechanism to bypass watchpoints, allowing arbitrary memory corruption. It manipulates the regExpMatchesArrayWithGroupsStructure to achieve this by forcing the engine into a 'bad time' state.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: WebKit JavaScriptCore (Safari)

No auth needed

Prerequisites: WebKit-based browser (e.g., Safari) · JavaScript execution context

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →