PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4660 Apple CVE debrief

CVE-2016-4660 is an Apple FontParser vulnerability affecting multiple Apple operating systems. A crafted font can trigger an out-of-bounds read, which may disclose sensitive information or cause an application crash and denial of service. The CVE is publicly disclosed and rated high severity in the supplied record, with network attack potential but requiring user interaction.

Vendor
Apple
Product
CVE-2016-4660
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Apple device administrators, mobile fleet managers, endpoint security teams, and users who may open or render untrusted fonts or documents should care most. Organizations running older iOS, macOS, tvOS, or watchOS versions are at higher risk until patched.

Technical summary

The supplied CVE description states that FontParser can be abused via a crafted font to cause an out-of-bounds read, leading to sensitive-information exposure or a crash. NVD maps the issue to CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H and CWE-200. The record identifies affected Apple platforms as iOS, macOS, tvOS, and watchOS, with vendor advisories referenced by NVD.

Defensive priority

High. The issue is remotely reachable in the sense that malicious content can be delivered to a target, but it depends on user interaction to process the crafted font. Because the impact includes information disclosure and denial of service across multiple Apple platforms, timely patching is important for exposed fleets and any environment that handles untrusted content.

Recommended defensive actions

  • Install the Apple updates associated with the vendor advisories referenced in the record and move to versions at or above iOS 10.1, macOS 10.12.1, tvOS 10.0.1, and watchOS 3.1.
  • Prioritize patching devices that regularly open untrusted documents, previews, or font-bearing content.
  • Keep automatic update mechanisms enabled for Apple endpoints and verify compliance across managed fleets.
  • Limit exposure to untrusted font files and suspicious content sources until remediation is complete.

Evidence notes

Source corpus shows Apple FontParser as the affected component and describes a crafted-font-triggered out-of-bounds read with possible sensitive-information disclosure or application crash. NVD assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H and CWE-200. The supplied CVE description lists affected versions as iOS before 10.1, macOS before 10.12.1, tvOS before 10.0.1, and watchOS before 3.1. The NVD CPE entries in the supplied record enumerate vulnerable ranges up to iOS 10.0.3, macOS 10.12.0, tvOS 10.0, and watchOS 2.2.2; this debrief preserves both data points without assuming one supersedes the other.

Official resources

Public CVE disclosure date: 2017-02-20. The supplied record was modified on 2026-05-13, which should be treated as record maintenance rather than the original issue date.