Security Experts:

Connect with us

Hi, what are you looking for?



Google Researchers Find Multiple Vulnerabilities in Apple’s ImageIO Framework

Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple’s iOS and macOS operating systems.

Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple’s iOS and macOS operating systems.

The bugs in image parsing code, some of which impact open source image libraries and not the ImageIO framework itself, can be triggered through popular messenger applications by sending specially crafted image files to the targeted user. The researchers believe it may be possible to exploit some of the flaws for remote code execution without user interaction.

Google’s researchers identified a total of 14 vulnerabilities, 5 of which affected Apple’s ImageIO framework, and 9 impacting the OpenEXR library, a high dynamic range (HDR) image file format created for computer imaging applications.

The first of the six issues reported to Apple was a buffer overflow impacting the usage of libTiff in the framework, which did not receive a CVE.

The researchers also reported out-of-bounds reads on the heap when processing DDS images (CVE-2020-3826) or JPEG images (CVE-2020-3827) with invalid size parameters, an off-by-one error in the PVR decoding logic (CVE-2020-3878), a related bug in the PVR decoder (CVE-2020-3878), and an out-of-bounds read during handling of OpenEXR images (CVE-2020-3880).

The last issue actually occurred in the OpenEXR library, third-party code bundled with ImageIO, but could not be reproduced in the upstream OpenEXR library, and the researchers decided to report it directly to Apple.

“A possible explanation is that Apple was shipping an outdated version of the OpenEXR library and the bug had been fixed upstream in the meantime,” Google Project Zero’s Samuel Groß notes.

However, after discovering this vulnerability, Google’s researchers decided to analyze the open-source library as well, and identified and reported to the OpenEXR maintainers a total of 8 likely unique vulnerabilities.

These include an out-of-bounds write (CVE-2020-11764), a bug causing a std::vector to be read out-of-bounds (CVE-2020-11763), out-of-bounds memcpy (CVE-2020-11762), out-of-bounds reads of pixel data and other data structures (CVE-2020-11760, CVE-2020-11761, CVE-2020-11758), an out-of-bounds read on the stack (CVE-2020-11765), and an integer overflow (CVE-2020-11759).

Related: Google: Protections Added by Samsung to Android Kernel Increase Attack Surface

Related: Google Researchers Detail Critical iMessage Vulnerability

Related: Google Project Zero Updates Vulnerability Disclosure Policy

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.