Allows an attacker to use a buffer overflow to attack an iOS device remotely, requiring only viewing a malicious email message in the Mail app. Depending on the version, the attack can be carried out against the maild process in the background, without any user interaction.

Action Needed

Use the Outlook client until Apple releases a fix.


  • This vulnerability allows remote code execution.
  • Specially crafted emails can be quite small.
  • These vulnerabilities have been seen “in the wild”.
  • Attackers can delete emails to cover their tracks.
  • iOS 13 does not need the Mail app open to trigger an attack.
  • iOS 12 requires a click on the email to trigger an attack.
  • Vulnerabilities have existed since iOS 6.