cbcvebase.
CVE-2017-2476
published 2017-04-02

CVE-2017-2476: An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue…

PriorityP263high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
6.47%
92.9th percentile
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Affected

7 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 10.310.3
applesafari< 10.110.1
applesafari
appletvos< 10.210.2
appletvos
debianwebkit2gtk< webkit2gtk 2.14.6-1 (bookworm)webkit2gtk 2.14.6-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is a Use-After-Free in WebCore::toJS triggered via crafted web content; look for crashes or memory corruption originating from WebCore::NamedNodeMap::attribute() called through JSC property getter chains (llint_slow_path_get_by_id / customGetter)
  • The UAF is triggered during a window load event handler; monitor for JavaScript that forces garbage collection (e.g. large allocation loops) immediately before accessing DOM NamedNodeMap attributes, which is the heap-spray/free primitive used in the PoC
  • Crash stack anchor: WebCore::NamedNodeMap::attribute() is the use-after-free site; EDR/crash telemetry rules should flag WebContent process crashes involving this symbol on unpatched iOS < 10.3, Safari < 10.1, tvOS < 10.2
  • The freed object is a 1376-byte heap region; memory forensics or ASAN-based detection can key on use-after-free of a 1376-byte allocation within the WebContent XPC service process (com.apple.WebKit.WebContent)
  • Exploitation occurs inside the sandboxed com.apple.WebKit.WebContent XPC service; process-level monitoring should watch for anomalous child-process spawning or sandbox escapes originating from com.apple.WebKit.WebContent.Development
  • ·Affected versions: iOS before 10.3, Safari before 10.1, tvOS before 10.2; WebKitGTK fixed in 2.14.6-1 on Debian. Detection hints above apply only to unpatched instances of these products.
  • ·On Debian/Linux (WebKitGTK), all stable branches (bookworm, bullseye, trixie, sid, forky) are resolved at version 2.14.6-1; no Linux-specific IOCs are present in the sources.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.