CVE-2019-8605

HIGH KEV

iPhone OS < 12.3 - Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-8605 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 27, 2022. EIP tracks 4 public exploits from researchers including Google Security Research, Umang Raghuvanshi, 1nteger-c.

AI-analyzed exploit summary This exploit demonstrates a use-after-free vulnerability in the macOS kernel (CVE-2019-8605) due to improper handling of IPv6 socket options. The PoC triggers a kernel panic by reusing freed memory in the `in6_pcbdetach` function.

Description

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1. A malicious application may be able to execute arbitrary code with system privileges.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdosmultiple
https://www.exploit-db.com/exploits/46892

This exploit demonstrates a use-after-free vulnerability in the macOS kernel (CVE-2019-8605) due to improper handling of IPv6 socket options. The PoC triggers a kernel panic by reusing freed memory in the `in6_pcbdetach` function.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: macOS 10.14.3 (18D109)
Auth required
Prerequisites: root access · raw socket permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Umang Raghuvanshi · textlocalios
https://www.exploit-db.com/exploits/47409

This is a complete exploit for CVE-2019-8605, targeting iOS versions 11.0 to 12.4. The exploit is implemented in SockPuppet3.cpp and has been verified in production multiple times.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Apple iOS 11.0—12.2, iOS 12.4
No auth needed
Prerequisites: iOS device running vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 1nteger-c · local
https://github.com/1nteger-c/CVE-2019-8605

This is a working proof-of-concept exploit for CVE-2019-8605, targeting a use-after-free vulnerability in the IOSurface framework on iOS. The exploit leverages kernel memory corruption to achieve local privilege escalation (LPE) by manipulating kernel structures and ultimately gaining root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apple iOS (IOSurface framework)
No auth needed
Prerequisites: Vulnerable iOS device · Local access to the device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/jsherman212/used_sock

This repository contains a functional kernel exploit for iOS 12-12.2 and 12.4, leveraging a use-after-free vulnerability in the socket handling code. The exploit includes detailed implementation for memory manipulation and privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: iOS 12-12.2 and 12.4
No auth needed
Prerequisites: iOS device running vulnerable version · local access to the device
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (5)

Core 5
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT210118
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT210119
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT210120
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/HT210122

Scores

CVSS v3 7.8
EPSS 0.1751
EPSS Percentile 96.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-06-27
VulnCheck KEV 2022-06-23
InTheWild.io 2022-06-27
ENISA EUVD EUVD-2019-17995
CWE
CWE-416
Status published
Products (4)
apple/iphone_os < 12.3
apple/mac_os_x < 10.14.5
apple/tvos < 12.3
apple/watchos < 5.2.1
Published Dec 18, 2019
KEV Added Jun 27, 2022
Tracked Since Feb 18, 2026