HighCISA KEVExploited in the wildPublic exploit

Use-after-free privilege escalation in macOS

IdentifiersCVE-2019-8526CWE-416· Use After Free

CVE-2019-8526 is a use-after-free vulnerability in macOS. Apple states that the issue was addressed through improved memory management and fixed in macOS Mojave 10.14.4. The available information indicates that a local application could trigger the memory safety flaw and gain elevated privileges. Supporting reporting also notes the vulnerability was usable by malware such as DazzleSpy to dump the macOS keychain on vulnerable systems, indicating post-compromise abuse in the context of local execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a locally executing application to elevate privileges on the affected macOS system. In practical terms, this can expand an attacker’s access beyond the initial user context and enable access to protected resources; reporting specifically associates exploitation on vulnerable hosts with the ability to dump contents of the macOS keychain.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing execution of untrusted local applications and payloads, restricting initial malware delivery, and monitoring for suspicious post-exploitation behavior such as unexpected keychain access or privilege-escalation activity. Standard macOS hardening, application control, and EDR monitoring can reduce the likelihood of successful abuse, but patching is the definitive mitigation.

Remediation

Patch, then assume compromise.

Upgrade affected systems to macOS Mojave 10.14.4 or later, as Apple fixed the issue in that release with improved memory management. More generally, apply current macOS security updates to ensure the vulnerability is no longer reachable on supported versions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AppleMac Os Xoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

objective seeNews

Jan 25, 2022

Analyzing OSX.DazzleSpy

A vulnerability in Apple's Keychain (CVE-2019-8526) that allows malicious software to extract passwords from the keychain without user interaction.

eset welivesecurity blogNews

Jan 25, 2022

Watering hole deploys new macOS malware, DazzleSpy, in Asia

A vulnerability in macOS (CVE-2019-8526) that allows attackers to dump the keychain and steal credentials, used by DazzleSpy on systems running macOS versions lower than 10.14.4.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2019-8526

NVD

nvd.nist.gov/vuln/detail/CVE-2019-8526

MITRE CWE · CWE-416

Use After Free

Vendor Advisory

support.apple.com/HT209600

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-8526