PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4764 Apple CVE debrief

CVE-2016-4764 is an Apple WebKit memory-corruption issue that can be triggered through a crafted website. The published impact is remote code execution or denial of service, with the CVSS 3.1 vector indicating network attack, low complexity, no privileges, and user interaction required. Apple products named in the CVE and NVD data include iOS, Safari, iTunes, and tvOS.

Vendor
Apple
Product
CVE-2016-4764
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Organizations and individuals running affected Apple devices or software should care, especially teams managing browsers and end-user endpoints where users may browse untrusted websites. Security and IT teams should prioritize patching iOS, Safari, iTunes, and tvOS installations within the vulnerable version ranges.

Technical summary

NVD classifies the weakness as CWE-119 and rates it CVSS 3.1 8.8 High (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue is in WebKit and is reachable via a crafted website, which can lead to memory corruption, application crash, and arbitrary code execution. The supplied CVE description lists affected versions as iOS before 10, Safari before 10, iTunes before 12.5.1, and tvOS before 10; the NVD CPE data specifically bounds iOS through 9.3.5, Safari through 9.1.3, iTunes through 12.5, and tvOS through 9.2.2.

Defensive priority

High. This is a network-reachable browser-engine flaw with potential code execution and broad consumer/end-user exposure, so patching should be prioritized across managed Apple fleets and any systems exposed to untrusted web content.

Recommended defensive actions

  • Update affected Apple software to the fixed releases referenced by Apple and NVD before allowing normal use.
  • Verify deployed versions against the vulnerable ranges: iOS 9.3.5 and earlier, Safari 9.1.3 and earlier, iTunes 12.5/12.5.1 and earlier depending on source, and tvOS 9.2.2 and earlier.
  • Use centralized inventory to identify any remaining vulnerable Apple endpoints or shared systems.
  • Apply normal browser hardening and limit access to untrusted websites until updates are confirmed.
  • Track remediation against Apple security advisories referenced by NVD for version-specific guidance.

Evidence notes

The debrief is based on the CVE record, NVD entry, and Apple vendor-advisory references listed by NVD. The CVE description states remote code execution or denial of service via a crafted website and identifies WebKit as the affected component. NVD assigns CVSS 3.1 8.8 High and CWE-119. One source discrepancy exists for iTunes: the CVE description says before 12.5.1, while NVD CPE criteria list iTunes through 12.5.

Official resources

CVE published on 2017-02-20. NVD lists the record as modified on 2026-05-13, but the disclosure context should be anchored to the 2017 publication date.