CVE-2020-3826: 
macOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2020-3826) was discovered in Apple's ImageIO component, affecting multiple Apple products including iOS 13.3.1, iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS 6.1.2, iTunes for Windows 12.10.4, and iCloud for Windows versions 11.0 and 7.17. The vulnerability was discovered by Samuel Groß of Google Project Zero and was addressed by Apple in January 2020 through improved input validation (Apple Support, NVD).

The vulnerability is classified as an out-of-bounds read issue in the ImageIO component that was addressed with improved input validation. The vulnerability has a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Under CVSS v2.0, it received a Base Score of 6.8 (MEDIUM) with the vector (AV:N/AC:M/Au:N/C:P/I:P/A:P) (NVD).

Processing a maliciously crafted image may lead to arbitrary code execution on affected systems (Apple Support, Apple Support).

Apple addressed this vulnerability by releasing security updates for affected products: iOS 13.3.1 and iPadOS 13.3.1, macOS Catalina 10.15.3, tvOS 13.3.1, watchOS 6.1.2, iTunes for Windows 12.10.4, iCloud for Windows 11.0, and iCloud for Windows 7.17. Users are advised to update to these versions to protect against this vulnerability (Apple Support).