Vulnerability Details : CVE-2014-8146
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2014-8146
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
- cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:c\/c\+\+:*:*
Threat overview for CVE-2014-8146
Top countries where our scanners detected CVE-2014-8146
Top open port discovered on systems with this issue
548
IPs affected by CVE-2014-8146 1,275
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-8146!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-8146
1.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8146
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-8146
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8146
-
http://seclists.org/fulldisclosure/2015/May/14
Full Disclosure: [CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAILMailing List;Exploit;Third Party Advisory
-
https://security.gentoo.org/glsa/201507-04
International Components for Unicode: Multiple vulnerabilities (GLSA 201507-04) — Gentoo securityThird Party Advisory
-
http://www.kb.cert.org/vuls/id/602540
VU#602540 - ICU Project ICU4C library contains multiple overflow vulnerabilitiesThird Party Advisory;US Government Resource
-
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Oracle Solaris Third Party Bulletin - October 2015Third Party Advisory
-
https://support.apple.com/HT205267
About the security content of OS X El Capitan v10.11 - Apple SupportThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019
-
http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html
Apple - Lists.apple.comMailing List
-
http://lists.apple.com/archives/security-announce/2015/Sep/msg00005.html
Apple - Lists.apple.comMailing List
-
http://www.securityfocus.com/bid/74457
ICU Project ICU4C Library Multiple Buffer Overflow VulnerabilitiesThird Party Advisory;VDB Entry
-
https://support.apple.com/HT205212
About the security content of iOS 9 - Apple SupportThird Party Advisory
-
http://bugs.icu-project.org/trac/changeset/37162
Changeset 37162 – Unicode ICU tracIssue Tracking;Vendor Advisory
-
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
Apple - Lists.apple.comMailing List
-
http://lists.apple.com/archives/security-announce/2015/Sep/msg00003.html
Apple - Lists.apple.comMailing List
-
http://openwall.com/lists/oss-security/2015/05/05/6
oss-security - [CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAILMailing List
-
http://www.debian.org/security/2015/dsa-3323
Debian -- Security Information -- DSA-3323-1 icuThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Oracle Critical Patch Update - October 2015Patch
-
https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt
Exploit
-
https://support.apple.com/HT205221
About the security content of iTunes 12.3 - Apple SupportThird Party Advisory
-
https://support.apple.com/HT205213
About the security content of watchOS 2 - Apple SupportThird Party Advisory
Jump to