CVE-2014-4492

Name: CVE-2014-4492
Creator: NVD / NIST
Published: 2015-01-30T11:59:21.733+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 19.73%

Last modified Jun 17, 2026

CVE-2014-4492 is a vulnerability of currently unknown severity. libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.. EPSS estimates a 19.73% chance of exploitation in the next 30 days.

Description

libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.

Metrics

EPSS Probability

19.73%

97.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-19

Affected Software

Vendor	Product	Versions
Apple	Iphone Os	<= 8.1.2
Apple	Mac Os X	<= 10.10.1
Apple	Tvos	<= 7.0.1

References

http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html
http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlVendor Advisory
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlVendor Advisory
http://packetstormsecurity.com/files/134393/Mac-OS-X-Networkd-XPC-Type-Confusion-Sandbox-Escape.html
http://support.apple.com/HT204244Vendor Advisory
http://support.apple.com/HT204245Vendor Advisory
http://support.apple.com/HT204246Vendor Advisory
http://www.exploit-db.com/exploits/35847Exploit
http://www.osvdb.org/114862
https://code.google.com/p/google-security-research/issues/detail?id=92Exploit
http://lists.apple.com/archives/security-announce/2015/Jan/msg00000.html
http://lists.apple.com/archives/security-announce/2015/Jan/msg00001.htmlVendor Advisory
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlVendor Advisory
http://packetstormsecurity.com/files/134393/Mac-OS-X-Networkd-XPC-Type-Confusion-Sandbox-Escape.html
http://support.apple.com/HT204244Vendor Advisory
http://support.apple.com/HT204245Vendor Advisory
http://support.apple.com/HT204246Vendor Advisory
http://www.exploit-db.com/exploits/35847Exploit
http://www.osvdb.org/114862
https://code.google.com/p/google-security-research/issues/detail?id=92Exploit

Timeline

Published: Jan 30, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-4492?

How severe is CVE-2014-4492?

Severity scoring for CVE-2014-4492 is pending analysis. The EPSS model estimates a 19.73% probability of exploitation in the next 30 days.

How do I fix CVE-2014-4492?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-4492?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST