PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4665 Apple CVE debrief

CVE-2016-4665 is a low-severity information disclosure issue in Apple’s Sandbox Profiles component. According to the supplied record, a crafted app could read audio-recording metadata on affected Apple mobile and wearable OS versions. The vulnerability was published on 2017-02-20 and later modified in the NVD record on 2026-05-13, which is record maintenance rather than the original disclosure date.

Vendor
Apple
Product
CVE-2016-4665
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Organizations that manage iOS, tvOS, or watchOS devices; Apple mobile app teams; MDM and endpoint security administrators; and users running older affected Apple OS releases should care, especially where device privacy or app sandbox boundaries matter.

Technical summary

The supplied CVE describes a sandboxing flaw in Apple’s Sandbox Profiles component that can expose audio-recording metadata to a crafted app. NVD classifies the issue as local, requiring user interaction, with low confidentiality impact and no integrity or availability impact (CVSS v3.0: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). NVD also maps the weakness to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The record’s description states affected versions include iOS before 10.1, tvOS before 10.0.1, and watchOS before 3.1; the NVD CPE criteria in the supplied source item also enumerate affected Apple OS version ranges.

Defensive priority

Low

Recommended defensive actions

  • Update affected Apple devices to the vendor-fixed releases described in the record: iOS 10.1 or later, tvOS 10.0.1 or later, and watchOS 3.1 or later.
  • Use Apple’s official advisories linked in the record to verify exact fixed builds for each platform before maintenance windows.
  • Inventory devices that may still run older Apple OS versions and prioritize them for patching or replacement.
  • Review app behavior and privacy controls around audio-recording metadata exposure, especially in managed-device fleets.
  • Treat the issue as an information-disclosure risk rather than code-execution risk, but still patch promptly on exposed endpoints.

Evidence notes

This debrief is based only on the supplied CVE record and its official references. The record states that a crafted app could read audio-recording metadata via the Sandbox Profiles component on affected Apple products. NVD metadata in the supplied source item lists CVSS v3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N and CWE-200. The record also links Apple vendor advisories (support.apple.com/HT207269, HT207270, HT207271) as the primary remediation references. The modified date in 2026 reflects NVD record updates, not the original vulnerability publication date.

Official resources

Published 2017-02-20 per the supplied CVE/NVD record. The later 2026-05-13 modification date reflects database maintenance or record updates, not the initial disclosure.