Released March 24, 2020

Accounts

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9772: Allison Husain of UC Berkeley

Entry added May 21, 2020

ActionKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to use an SSH client provided by private frameworks

Description: This issue was addressed with a new entitlement.

CVE-2020-3917: Steven Troughton-Smith (@stroughtonsmith)

AppleMobileFileIntegrity

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to use arbitrary entitlements

Description: This issue was addressed with improved checks.

CVE-2020-3883: Linus Henze (pinauten.de)

Bluetooth

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic

Description: A logic issue was addressed with improved state management.

CVE-2020-9770: Jianliang Wu of PurSec Lab of Purdue University, Xinwen Fu and Yue Zhang of the University of Central Florida

CoreFoundation

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to elevate privileges

Description: A permissions issue existed. This issue was addressed with improved permission validation.

CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG

Icons

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Setting an alternate app icon may disclose a photo without needing permission to access photos

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3916: Vitaliy Alekseev (@villy21)

Image Processing

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to execute arbitrary code with system privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9768: Mohamed Ghannam (@_simo36)

IOHIDFamily

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3919: Alex Plaskett of F-Secure Consulting

Entry updated May 21, 2020

Kernel

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3914: pattern-f (@pattern_F_) of WaCai

Kernel

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed with improved state management.

CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team

libxml2

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3910: LGTM.com

libxml2

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Multiple issues in libxml2

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2020-3909: LGTM.com

CVE-2020-3911: found by OSS-Fuzz

Mail

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local user may be able to view deleted content in the app switcher

Description: The issue was resolved by clearing application previews when content is deleted.

CVE-2020-9780: an anonymous researcher, Dimitris Chaintinis

Mail Attachments

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Cropped videos may not be shared properly via Mail

Description: An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video.

CVE-2020-9777

Messages

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A person with physical access to a locked iOS device may be able to respond to messages even when replies are disabled

Description: A logic issue was addressed with improved state management.

CVE-2020-3891: Peter Scott

Messages Composition

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Deleted messages groups may still be suggested as an autocompletion

Description: The issue was addressed with improved deletion.

CVE-2020-3890: an anonymous researcher

Safari

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A user's private browsing activity may be unexpectedly saved in Screen Time

Description: An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling.

CVE-2020-9775: Andrian (@retroplasma), Marat Turaev, Marek Wawro (futurefinance.com) and Sambor Wawro of STO64 School Krakow Poland

Entry updated May 1, 2020

Safari

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A user may grant website permissions to a site they didn't intend to

Description: The issue was addressed by clearing website permission prompts after navigation.

CVE-2020-9781: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

Sandbox

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A local user may be able to view sensitive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-3918: an anonymous researcher, Augusto Alvarez of Outcourse Limited

Entry added May 1, 2020, updated May 21, 2020

Web App

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A maliciously crafted page may interfere with other web contexts

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3888: Darren Jones of Dappological Ltd.

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Some websites may not have appeared in Safari Preferences

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9787: Ryan Pickren (ryanpickren.com)

Entry added May 1, 2020

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: An application may be able to read restricted memory

Description: A race condition was addressed with additional validation.

CVE-2020-3894: Sergei Glazunov of Google Project Zero

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

CVE-2020-3899: found by OSS-Fuzz

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-3902: Yiğit Can YILMAZ (@yilmazcanyigit)

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3895: grigoritchy

CVE-2020-3900: Dongzhuo Zhao working with ADLab of Venustech

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3901: Benjamin Randazzo (@____benjamin)

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A download's origin may be incorrectly associated

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3887: Ryan Pickren (ryanpickren.com)

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: Processing maliciously crafted web content may lead to code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9783: Apple

WebKit

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3897: Brendan Draper (@6r3nd4n) working with Trend Micro’s Zero Day Initiative

WebKit Page Loading

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation

Impact: A file URL may be incorrectly processed

Description: A logic issue was addressed with improved restrictions.

CVE-2020-3885: Ryan Pickren (ryanpickren.com)