Released January 22, 2019

AppleKeyStore

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-6235: Brandon Azad

Bluetooth

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: An attacker in a privileged network position may be able to execute arbitrary code

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-6200: an anonymous researcher

Core Media

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to elevate privileges

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-6202: Fluoroacetate working with Trend Micro's Zero Day Initiative

CVE-2019-6221: Fluoroacetate working with Trend Micro's Zero Day Initiative

CoreAnimation

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-6231: Zhuo Liang of Qihoo 360 Nirvan Team

CoreAnimation

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to break out of its sandbox

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-6230: Proteas, Shrek_wzw and Zhuo Liang of Qihoo 360 Nirvan Team

FaceTime

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A remote attacker may be able to initiate a FaceTime call causing arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2019-6224: Natalie Silvanovich of Google Project Zero

IOKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to break out of its sandbox

Description: A type confusion issue was addressed with improved memory handling.

CVE-2019-6214: Ian Beer of Google Project Zero

Kernel

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed with improved validation.

CVE-2019-6225: Brandon Azad of Google Project Zero, Qixun Zhao of Qihoo 360 Vulcan Team

Kernel

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-6210: Ned Williamson of Google

Kernel

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may cause unexpected changes in memory shared between processes

Description: A memory corruption issue was addressed with improved lock state checking.

CVE-2019-6205: Ian Beer of Google Project Zero

Kernel

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2019-6213: Ian Beer of Google Project Zero

Kernel

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to determine kernel memory layout

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2019-6209: Brandon Azad of Google Project Zero

Kernel

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may cause unexpected changes in memory shared between processes

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-6208: Jann Horn of Google Project Zero

Keyboard

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Password autofill may fill in passwords after they were manually cleared

Description: An issue existed with autofill resuming after it was canceled. The issue was addressed with improved state management.

CVE-2019-6206: Sergey Pershenkov

libxpc

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-6218: Ian Beer of Google Project Zero

Natural Language Processing

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing a maliciously crafted message may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2019-6219: Authier Thomas

Safari Reader

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: A cross-site scripting issue existed in Safari. This issue was addressed with improved URL validation.

CVE-2019-6228: Ryan Pickren (ryanpickren.com)

SQLite

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: A maliciously crafted SQL query may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2018-20346: Tencent Blade Team

CVE-2018-20505: Tencent Blade Team

CVE-2018-20506: Tencent Blade Team

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-6227: Qixun Zhao of Qihoo 360 Vulcan Team

CVE-2019-6233: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative

CVE-2019-6234: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved validation.

CVE-2019-6229: Ryan Pickren (ryanpickren.com)

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2019-6215: Lokihardt of Google Project Zero

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-6212: Mike Zhang from The Pangu team, Wen Xu of SSLab at Georgia Tech

CVE-2019-6216: Fluoroacetate working with Trend Micro's Zero Day Initiative

CVE-2019-6217: Fluoroacetate working with Trend Micro's Zero Day Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan Team

CVE-2019-6226: Apple

Entry updated February 15, 2019

WebKit

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2019-8570: James Lee (@Windowsrcer) of S2SWWW.com

Entry added April 3, 2019, updated September 11, 2019

WebRTC

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-6211: Georgi Geshev (@munmap), Fabi Beterke (@pwnfl4k3s), and Rob Miller (@trotmaster99) of MWR Labs (@mwrlabs) working with Trend Micro's Zero Day Initiative