VDB
GCVE-110-CERTCC-2020-127371
GCVE-110-CERTCC-2020-127371
Advisory PublishedCVSS 7.2/10
### Overview ###
<p>iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the GNU kernel's `lio_listio()` function, which can allow a malicious application to achieve unsandboxed, kernel-level code execution.</p>
### Description ###
<p>iOS, iPadOS, tvOS, watchOS, and macOS contain an a double-free vulnerability in the GNU kernel's `lio_listio()` function. This can lead to triggering a use-after-free condition. This vulnerability can allow code execution with kernel privileges. This vulnerability is being used by the public <a href="https://unc0ver.dev/">unc0ver</a> 5.0 jailbreak utility, which claims to support all devices from iOS 11 through 13.5, excluding versions 12.3-12.3.2 and 12.4.2-12.4.5. It is also reported that this jailbreak works on modern iOS devices that use a CPU that supports <a href="https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html">Pointer Authentication Code (PAC)</a>, which indicates that PAC does not prevent exploitation of this vulnerability.</p>
It is reported that this vulnerability is a regression of the vulnerability known as [LightSpeed](https://www.synacktiv.com/posts/exploit/lightspeed-a-race-for-an-iosmacos-sandbox-escape.html).
### Impact ###
By convincing a user to run a malicious application on a device running iOS, iPadOS, tvOS, watchOS, or macOS, an attacker may be able to achieve arbitrary code execution in the kernel that is not restricted by sandboxes or other OS protections.
### Solution ###
#### Apply updates
This issue is addressed in the following OS updates from Apple:
[macOS Catalina 10.15.5 Supplemental Update, Security Update 2020-003 High Sierra](https://support.apple.com/en-us/HT211215)
[tvOS 13.4.6](https://support.apple.com/en-us/HT211216)
[watchOS 6.2.6](https://support.apple.com/en-us/HT211217)
[iOS 13.5.1 and iPadOS 13.5.1](https://support.apple.com/en-us/HT211214)
### Acknowledgements ###
This document was written by Will Dormann.
Risk Scores
CVSS 2.0
7.2/10
High · AV:L/AC:L/Au:N/C:C/I:C/A:C
certcc-cam
certcc-cam
impact0population0exploitation0widely_known0score_current0ease_of_exploitation0
certcc-vrda
certcc-vrda
d1_impact4d1_population4d1_direct_report1
certcc-cvss-temporal-env
certcc-cvss-temporal-env
temporal_score6.8remediation_levelUreport_confidenceCenvironmental_score6.79201114368target_distributionHenvironmental_vectorCDP:ND/TD:H/CR:ND/IR:ND/AR:ND
Aliases
References
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.