PatchSiren cyber security CVE debrief

CVE-2016-4691 Apple CVE debrief

CVE-2016-4691 is an Apple FontParser memory-corruption issue that can be triggered by a crafted font. The CVE description says it may allow remote attackers to execute arbitrary code or cause a denial of service through application crash. The flaw affects Apple devices on iOS before 10.2, macOS before 10.12.2, and watchOS before 3.1.3.

Vendor: Apple
Product: CVE-2016-4691
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-20
Original CVE updated: 2026-05-13
Advisory published: 2017-02-20
Advisory updated: 2026-05-13

Who should care

Apple fleet administrators, endpoint security teams, and users of affected iPhone, macOS, and watchOS systems should care most. It is especially relevant anywhere untrusted fonts may be processed by applications or services on vulnerable builds.

Technical summary

The supplied CVE description identifies the vulnerable component as Apple FontParser and describes memory corruption leading to arbitrary code execution or denial of service from a crafted font. NVD classifies the weakness as CWE-119 and rates the issue CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 High), indicating network-reachable impact that requires user interaction. The NVD CPE criteria enumerate affected Apple operating-system ranges ending at iPhone OS 10.1.1, macOS 10.12.1, and watchOS 2.2.2, while the CVE description states fixes are available in iOS 10.2, macOS 10.12.2, and watchOS 3.1.3.

Defensive priority

High. Prioritize patching affected Apple devices because the issue can lead to remote code execution or crashes from a crafted font and carries high confidentiality, integrity, and availability impact.

Recommended defensive actions

Update affected devices to the fixed Apple releases named in the CVE description: iOS 10.2 or later, macOS 10.12.2 or later, and watchOS 3.1.3 or later.
Inventory Apple endpoints to confirm no systems remain on the vulnerable version ranges listed in the CVE record and NVD CPE criteria.
Use the referenced Apple security advisories (HT207422, HT207423, HT207487) as the vendor patch guidance for your remediation tracking.
Triage unexpected application crashes or repeated failures in font-handling paths on affected versions as a signal to investigate and accelerate remediation.

Evidence notes

This debrief is based on the supplied CVE description, the NVD record, and the official references listed in that record. NVD provides the CVSS vector, CWE-119 classification, and affected CPE criteria. Apple vendor advisories are referenced in the record, but their page contents were not separately parsed in the supplied corpus. The supplied corpus contains two version framings: the CVE description states iOS before 10.2, macOS before 10.12.2, and watchOS before 3.1.3; NVD CPE end bounds list iPhone OS 10.1.1, macOS 10.12.1, and watchOS 2.2.2.

Official resources

CVE-2016-4691 CVE record
CVE.org
CVE-2016-4691 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE published on 2017-02-20. The supplied record shows a later NVD modification on 2026-05-13. No KEV listing was provided.