An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HApple iPadOS
OSApple< 14.8Apple iOS
OSApple< 12.5.513.0 – 14.8 (bez)Apple macOS
OSApple< 11.6Apple Mac Os X
OSApple10.15.710.15 – 10.15.7 (bez)Apple watchOS
OSApple< 7.6.2Freedesktop Poppler
APPFreedesktop< 22.09.0Xpdfreader Xpdf
APPXpdfreader< 4.04
CISA KEV — detailsi
- Vendori
- Apple ↗
- Producti
- Multiple Products
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- November 17, 2021(overdue)
Apply updates per vendor instructions.
Apple iOS, iPadOS, macOS, and watchOS CoreGraphics contain an integer overflow vulnerability which may allow code execution when processing a maliciously crafted PDF. The vulnerability is also known under the moniker of FORCEDENTRY.
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki