cbcvebase.
CVE-2016-4622
published 2016-07-22

CVE-2016-4622: WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service…

PriorityP355high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
18.84%
96.9th percentile
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624.

Affected

7 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 9.3.39.3.3
applesafari< 9.1.29.1.2
applesafari
appletvos< 9.2.29.2.2
appletvos
debianwebkit2gtk< webkit2gtk 2.12.4-1 (bookworm)webkit2gtk 2.12.4-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2016-4622 is a WebKit memory corruption vulnerability in the Array.prototype.slice fast path (ArrayPrototype.cpp). The bug is triggered when the length check `length == toLength(exec, thisObj)` is bypassed, allowing `fastSlice` to be called with an inconsistent length, leading to out-of-bounds memory access. Detection should focus on JavaScript engine exploitation patterns targeting JSArray fastSlice.
  • The vulnerability is triggered by visiting a maliciously crafted website; network-level detection should alert on exploitation attempts delivered via web content to WebKit-based browsers (Safari, iOS WebView, tvOS browser).
  • Detailed exploitation technique for CVE-2016-4622 is publicly documented in a Phrack paper by saelo, meaning reliable public exploit primitives exist. Monitor for JavaScript payloads referencing Array slice manipulation patterns consistent with this write-up.
  • ·The vulnerability affects WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2. Systems running these versions or unpatched WebKit (Debian fixed in webkit2gtk 2.12.4-1) remain vulnerable.
  • ·The root cause is in ArrayPrototype.cpp: the fast-path length consistency check (`length == toLength(exec, thisObj)`) must be present to prevent exploitation. Its absence (commented out) is the exploitable condition.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.