About the security content of tvOS 14.5
This document describes the security content of tvOS 14.5.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss or confirm security issues until an investigation has taken place and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
tvOS 14.5
AppleMobileFileIntegrity
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza
Assets
Available for: Apple TV 4K and Apple TV HD
Impact: A local user may be able to create or modify privileged files
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1836: an anonymous researcher
Audio
Available for: Apple TV 4K and Apple TV HD
Impact: an application may be able to read restricted memory
Description: a memory corruption issue was addressed with improved validation.
CVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab
CFNetwork
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2021-1857: an anonymous researcher
CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1846: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: a malicious application may be able to read restricted memory
Description: a memory corruption issue was addressed with improved validation.
CVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab
CoreText
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: a logic issue was addressed with improved state management.
CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab
FontParser
Available for: Apple TV 4K and Apple TV HD
Impact: processing a maliciously crafted font file may lead to arbitrary code execution
Description: an out-of-bounds read was addressed with improved input validation.
CVE-2021-1881: an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin of Trend Micro and Hou JingYi (@hjy79425575) of Qihoo 360
Foundation
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to gain elevated privileges
Description: a memory corruption issue was addressed with improved validation.
CVE-2021-1882: Gabe Kirkpatrick (@gabe_k)
Foundation
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to gain root privileges
Description: A validation issue was addressed with improved logic.
CVE-2021-1813: Cees Elzinga
Heimdal
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted server messages may lead to heap corruption
Description: This issue was addressed with improved checks.
CVE-2021-1883: Gabe Kirkpatrick (@gabe_k)
Heimdal
Available for: Apple TV 4K and Apple TV HD
Impact: a remote attacker may be able to cause a denial of service
Description: A race condition was addressed with improved locking.
CVE-2021-1884: Gabe Kirkpatrick (@gabe_k)
ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1885: CFF of Topsec Alpha Team
ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: processing a maliciously crafted image may lead to arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30653: Ye Zhang of Baidu Security
CVE-2021-1843: Ye Zhang of Baidu Security
ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2021-1858: Mickey Jin of Trend Micro
iTunes Store
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker with JavaScript execution may be able to execute arbitrary code
Description: A use after free issue was addressed with improved memory management.
CVE-2021-1864: CodeColorist of Ant-Financial LightYear Labs
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: a malicious application may be able to disclose kernel memory
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2021-1860: @0xalsr
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2021-1816: Tielei Wang of Pangu Lab
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: an application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-1851: @0xalsr
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: Copied files may not have the expected file permissions
Description: The issue was addressed with improved permissions logic.
CVE-2021-1832: an anonymous researcher
Kernel
Available for: Apple TV 4K and Apple TV HD
Impact: a malicious application may be able to disclose kernel memory
Description: an out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30660: Alex Plaskett
libxpc
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to gain root privileges
Description: A race condition was addressed with additional validation.
CVE-2021-30652: James Hutchins
libxslt
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted file may lead to heap corruption
Description: A double free issue was addressed with improved memory management.
CVE-2021-1875: found by OSS-Fuzz
MobileInstallation
Available for: Apple TV 4K and Apple TV HD
Impact: A local user may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1822: Bruno Virlet of The Grizzly Labs
Preferences
Available for: Apple TV 4K and Apple TV HD
Impact: A local user may be able to modify protected parts of the file system
Description: a parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2021-1815: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1740: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Tailspin
Available for: Apple TV 4K and Apple TV HD
Impact: a local attacker may be able to elevate their privileges
Description: a logic issue was addressed with improved state management.
CVE-2021-1868: Tim Michaud of Zoom Communications
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: a memory corruption issue was addressed with improved validation.
CVE-2021-1844: Clément Lecigne of Google’s Threat Analysis Group, Alison Huffman of Microsoft Browser Vulnerability Research
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to a cross-site scripting attack
Description: An input validation issue was addressed with improved input validation.
CVE-2021-1825: Alex Camboe of Aon’s Cyber Solutions
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2021-1817: an anonymous researcher
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1826: an anonymous researcher
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: A memory initialisation issue was addressed with improved memory handling.
CVE-2021-1820: an anonymous researcher
WebKit Storage
Available for: Apple TV 4K and Apple TV HD
Impact: processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30661: yangkang(@dnpushme) of 360 ATA
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.