Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Neutron kernel type confusion privilege escalation in Apple iOS/macOS/watchOS

IdentifiersCVE-2020-27932CWE-843· Access of Resource Using…

CVE-2020-27932 is a kernel type confusion vulnerability in Apple operating systems. Apple states the issue was caused by improper state handling and was fixed with improved state handling. A malicious application may exploit the flaw to execute arbitrary code with kernel privileges. Supporting reporting on the Coruna exploit kit identifies this vulnerability as the privilege-escalation component codenamed "Neutron," affecting iOS 13.x and fixed in iOS 14.2. The vulnerability is therefore best characterized as a local kernel privilege-escalation bug arising from type confusion in kernel processing.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in kernel context. This yields full privilege escalation from an unprivileged application to kernel privileges, enabling complete device compromise, bypass of OS security boundaries, access to protected kernel-managed resources, installation of persistent payloads, and use as a post-exploitation step in a larger exploit chain. The content also indicates the issue was actively exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing installation and execution of untrusted or malicious applications, enforcing strong application control / MDM policy on managed Apple devices, and limiting use of devices that cannot be updated. Because the vulnerability is exploited by a malicious application and has been used as a privilege-escalation stage in exploit chains, minimizing untrusted code execution is the primary interim mitigation. Specific vendor mitigations beyond patching are not provided in the content.

Remediation

Patch, then assume compromise.

Apply Apple security updates that address CVE-2020-27932. The content states fixes are included in macOS Big Sur 11.0.1, macOS Catalina 10.15.7 Supplemental Update / Update, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2, iPadOS 14.2, iOS 12.4.9, watchOS 7.1, watchOS 6.2.9, and watchOS 5.3.9. For affected iOS 13.x devices, upgrading to iOS 14.2 or later remediates the issue.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIcloudapplication
AppleIpadosoperating_system
AppleIphone Osoperating_system
AppleItunesapplication
AppleMac Os Xoperating_system
AppleMacosoperating_system
AppleWatchosapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
breakglass intelNews
Apr 2, 2026
PLASMAGRID: Inside an iOS Exploit Kit With 6 Cloudflare Accounts, a Custom DGA, and a Coordinated Law Enforcement Takedown - Breakglass Intelligence - Breakglass Intelligence

An iOS vulnerability listed as exploited by the Coruna exploit kit.

Read more
security affairsNews
Mar 20, 2026
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge

A privilege escalation exploit component used within the Coruna iOS exploit kit.

Read more
security affairsNews
Mar 12, 2026
Apple issues emergency fixes for Coruna flaws in older iOS versions

A privilege-escalation (PE) vulnerability incorporated into Coruna exploit chains to elevate privileges after initial code execution.

Read more
arstechnica securityNews
Mar 6, 2026
Feds take notice of iOS vulnerabilities exploited under mysterious circumstances - Ars Technica

An iOS privilege-escalation chain component (labeled 'PE') used in Coruna samples affecting iOS 13.x and fixed in iOS 14.2.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware13

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2020-27932
NVD
nvd.nist.gov/vuln/detail/CVE-2020-27932
MITRE CWE · CWE-843
Access of Resource Using Incompatible Type…
Vendor Advisory
support.apple.com/en-us/HT211928
Vendor Advisory
support.apple.com/en-us/HT211929
Vendor Advisory
support.apple.com/en-us/HT211931
Vendor Advisory
support.apple.com/en-us/HT211940
Vendor Advisory
support.apple.com/en-us/HT211944
Vendor Advisory
support.apple.com/en-us/HT211945
Vendor Advisory
support.apple.com/en-us/HT211946
Vendor Advisory
support.apple.com/en-us/HT211947
Third Party Advisory
packetstormsecurity.com/files/161295/XNU-Kernel-Turnstiles-Type-Confusion.html
+2 more references
view more in app