CVE-2020-27950

MEDIUM KEV

iPadOS < 14.2 - Memory Disclosure via Mach Message Trailers

Title source: llm

Exploitation Summary

CVE-2020-27950 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including synacktiv, lyonzon2, X1cT34m.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-27950, which leverages a use-after-free vulnerability in the XNU kernel's Mach message handling to leak kernel memory. The exploit demonstrates memory corruption by manipulating kalloc.1024 allocations and reading back leaked port addresses.

Description

A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to disclose kernel memory.

Exploits (3)

nomisec WORKING POC 34 stars

by synacktiv · local

https://github.com/synacktiv/CVE-2020-27950

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-27950, which leverages a use-after-free vulnerability in the XNU kernel's Mach message handling to leak kernel memory. The exploit demonstrates memory corruption by manipulating kalloc.1024 allocations and reading back leaked port addresses.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apple XNU kernel (macOS/iOS)

No auth needed

Prerequisites: Local access to a vulnerable macOS/iOS system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by lyonzon2 · client-side

https://github.com/lyonzon2/browser-crash-tool

View Code ZIP pw:eip

This PoC exploits CVE-2020-27950, a WebKit vulnerability, using Metasploit's `webkit_backdrop_filter_blur` module to crash browsers via a crafted webpage. It integrates ngrok for public URL generation to facilitate testing.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: iOS WebKit (affects multiple browsers)

No auth needed

Prerequisites: Kali Linux · Metasploit Framework · ngrok

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 4 stars

by X1cT34m · cpoc

https://github.com/X1cT34m/CVE-and-PoC/tree/main/2020/CVE-2020-27950

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2020-27950, demonstrating a port pointer leak and a simple PoC for a use-after-free vulnerability in the XNU kernel's Mach message handling. The code manipulates kalloc.1024 allocations to leak kernel memory addresses.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apple XNU kernel (macOS/iOS)

No auth needed

Prerequisites: Local access to a vulnerable macOS/iOS system

MITRE ATT&CK