⚠ Actively exploited

Added to CISA KEV on 2022-05-24. Federal agencies required to patch by 2022-06-14. Required action: Apply updates per vendor instructions..

CVE-2016-4656 — Out-of-bounds Write in Apple Iphone OS

CWE-787 — Out-of-bounds Write CWE-2648 documents7 sources

Severity

7.8HIGHNVD

EPSS

66.7%

top 1.45%

CISA KEV

KEV

Added 2022-05-24

Due 2022-06-14

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apple Iphone OS Apple IOS Apple Security Update 2016-001 EL Capitan AND Security Update 2016-005 Yosemite

Timeline

PublishedAug 25

KEV addedMay 24

KEV dueJun 14

CISA Required Action: Apply updates per vendor instructions.

Description

The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDapple/iphone_os< 9.3.5

▶Appleapple/ios9.3.5

▶Appleapple/security_update_2016-001_el_capitan_and_security_update_2016-005_yosemite

🔴Vulnerability Details

GHSA

GHSA-6x59-8x45-xrp8: The kernel in Apple iOS before 9↗2022-05-14

▶

VulnCheck

Apple iOS Memory Corruption Vulnerability↗2016

▶

💥Exploits & PoCs

Exploit-DB

WebKit - not_number defineProperties UAF (Metasploit)↗2018-06-05

▶

Metasploit

WebKit not_number defineProperties UAF↗

▶

📋Vendor Advisories

CISA

Apple iOS Memory Corruption Vulnerability↗2022-05-24

▶

Apple

CVE-2016-4656: Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite↗2016-09-01

▶

Apple

CVE-2016-4656: iOS 9.3.5↗2016-08-25

▶