[isjamesalive]

> This vulnerability was reported to Apple in Dec 2019, and it got patched somewhere in 2020. I don’t know why a CVE-2019 ID is given.

FYI: The year part of a CVE ID is either when the ID was assigned or when the issue was publicised: https://cve.mitre.org/about/faqs.html#year_portion_of_cve_id

Not (as I had assumed) when the vulnerable software was first published.