PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4664 Apple CVE debrief

CVE-2016-4664 is a low-severity Apple information-disclosure issue in the Sandbox Profiles component. A crafted app could read photo-directory metadata on affected devices, exposing limited information rather than allowing code execution or direct file modification. The CVE was published on 2017-02-20, and the supplied record ties it to Apple advisories for iOS, tvOS, and watchOS.

Vendor
Apple
Product
CVE-2016-4664
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Apple device administrators, mobile security teams, and users or organizations that allow third-party app installation on iPhone, iPad, Apple TV, and Apple Watch should care. The issue is especially relevant where privacy-sensitive photo metadata is a concern or where devices run older, unpatched Apple OS releases.

Technical summary

The supplied CVE description says the issue affects iOS before 10.1, tvOS before 10.0.1, and watchOS before 3.1. NVD metadata in the supplied corpus classifies it as CWE-200 (Exposure of Information to an Unauthorized Actor) with CVSS 3.0 vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The impact is limited to local information disclosure: a crafted app can read photo-directory metadata through the Sandbox Profiles component. The record does not indicate impact to integrity or availability.

Defensive priority

Low. The vulnerability is user-interaction dependent, local, and limited to confidentiality impact. It is still worth patching on any exposed Apple devices because metadata exposure can be privacy-sensitive, but it is not a high-priority exploitation path based on the supplied severity data.

Recommended defensive actions

  • Update affected Apple devices to the fixed releases referenced by Apple for iOS, tvOS, and watchOS.
  • Prioritize patching devices that can install third-party apps or that store sensitive photo libraries.
  • Use MDM or equivalent controls to keep Apple endpoints on supported versions and reduce lagging patch levels.
  • Review app installation and trust controls to limit exposure from crafted or untrusted apps.
  • Validate fleet status against the vendor advisories linked in the CVE record and remediate any devices still on vulnerable versions.

Evidence notes

All statements here are derived from the supplied CVE record and its metadata: the description states the Sandbox Profiles issue and affected Apple OS versions; NVD classifies it as CWE-200 with CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N; the record links to Apple support advisories and third-party advisories. The corpus does not include the full text of the linked advisories, so this debrief avoids claims beyond the provided record.

Official resources

Publicly disclosed in the supplied CVE record on 2017-02-20. The NVD record was modified on 2026-05-13, but that later metadata update is not the original disclosure date.