CVE-2016-7591 Apple CVE debrief

Who should care

Apple device administrators, mobile fleet managers, and security teams responsible for iOS, macOS, and watchOS patching should care, especially where untrusted or third-party apps are permitted.

Technical summary

The NVD record maps this issue to CWE-416 (use-after-free) in Apple’s IOHIDFamily component. The published CVSS v3.0 vector is AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H, indicating exploitation is local, requires high privileges and user interaction, and can have high confidentiality, integrity, and availability impact. NVD’s CPE criteria enumerate vulnerable Apple platforms, and Apple vendor advisories are linked in the record.

Defensive priority

Medium priority: apply the vendor fixes during routine patching, and move faster on managed Apple fleets where users can install apps or where local privilege boundaries are especially important.

Recommended defensive actions

• Update iOS to 10.2 or later.
• Update macOS to 10.12.2 or later.
• Update watchOS to 3.1.3 or later.
• Verify that Apple devices in inventory are no longer on the vulnerable versions listed in the advisory and NVD record.
• Use vendor advisories and NVD as the authoritative references for remediation tracking.

Evidence notes

The CVE record and NVD entry identify Apple as the vendor and link to Apple support advisories (HT207422, HT207423, HT207487), plus third-party references. The CVE description states the issue affects IOHIDFamily and can lead to arbitrary code execution in a privileged context or denial of service via a crafted app. The NVD record classifies the weakness as CWE-416 and provides the CVSS v3.0 vector AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. Note: the descriptive summary says the fixed versions are iOS 10.2, macOS 10.12.2, and watchOS 3.1.3, while the NVD CPE criteria enumerate vulnerable ranges ending at iOS 10.1.1, macOS 10.12.1, and watchOS 2.2.2; use the vendor advisory and product updates for remediation confirmation.

Official resources