CVE-2019-8662

CRITICAL

iPhone OS < 12.4 - Use-After-Free via Untrusted NSDictionary Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-8662. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a deserialization vulnerability in NSUnarchiver via NSSharedKeyDictionary, causing a crash due to an out-of-bounds memory access. Combined with a heap spray, it could lead to remote code execution.

Description

This issue was addressed with improved checks. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, watchOS 5.3. An attacker may be able to trigger a use-after-free in an application deserializing an untrusted NSDictionary.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdosmultiple

https://www.exploit-db.com/exploits/47608

View Code ZIP pw:eip

This exploit leverages a deserialization vulnerability in NSUnarchiver via NSSharedKeyDictionary, causing a crash due to an out-of-bounds memory access. Combined with a heap spray, it could lead to remote code execution.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Complex

Reliability

Theoretical

Target: Apple macOS 10.14.6 (iMessage processing)

No auth needed

Prerequisites: Ability to send malicious iMessage to target

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Google Security Research · textdosmultiple

https://www.exploit-db.com/exploits/47189

View Code ZIP pw:eip

The writeup describes a deserialization vulnerability in NSKeyedUnarchiver where child classes of whitelisted classes can bypass secure coding checks, leading to use-after-free issues. The example involves OITSUIntDictionary from the OfficeImport framework, which can be exploited via untrusted archives.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Complex

Reliability

Theoretical

Target: Apple macOS/iOS (NSKeyedUnarchiver, OfficeImport framework)

No auth needed

Prerequisites: Target process must have OfficeImport library loaded · Ability to deliver malicious archive (e.g., via iMessage)

MITRE ATT&CK

T1559 - Inter-Process Communication T1559.001 - Component Object Model

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://support.apple.com/HT210353

Vendor Advisory x_refsource_misc

https://support.apple.com/HT210346

Vendor Advisory x_refsource_misc

https://support.apple.com/HT210348

Vendor Advisory x_refsource_misc

https://support.apple.com/HT210351

Scores

CVSS v3 9.8

EPSS 0.0978

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-416 CWE-502

Status published

Products (4)

apple/iphone_os < 12.4

apple/mac_os_x < 10.14.6

apple/tvos < 12.4

apple/watchos < 5.3

Published Dec 18, 2019

Tracked Since Feb 18, 2026