Vulnerability Note VU#498105

Apple Mac OS X CoreText uninitialized pointer vulnerability

Original Release date: 14 Nov 2007 | Last revised: 15 Nov 2007


Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Apple Mac OS X CoreText is a framework for handling text on Mac OS X Tiger (10.4) and later. Mac OS X CoreText fails to properly initialize pointers, which can cause memory corruption. Any application that uses the CoreText framework for handling text may be vulnerable.


By convincing a user to view specially crafted text, a remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.


Apply an update

This issue is addressed in Mac OS X 10.4.11 and Apple Security Update 2007-008.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Affected24 Oct 200612 Nov 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was repoted by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2007-4682
  • Date Public: 14 Oct 2007
  • Date First Published: 14 Nov 2007
  • Date Last Updated: 15 Nov 2007
  • Severity Metric: 7.76
  • Document Revision: 8


If you have feedback, comments, or additional information about this vulnerability, please send us email.