CVE-2016-7605 Apple CVE debrief

Who should care

Mac administrators, endpoint security teams, and users or fleet owners running macOS 10.12.1 or earlier should care most, especially where untrusted apps can be installed or launched.

Technical summary

The NVD record classifies this as CWE-476 (NULL Pointer Dereference) with CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. In practical terms, a crafted app can cause the Bluetooth component to dereference a null pointer and terminate or destabilize the affected process/system. The vulnerable macOS range in NVD is up to and including 10.12.1, which aligns with the Apple reference advisory for macOS before 10.12.2.

Defensive priority

Medium — prioritize patching affected macOS systems, but this is an availability-only issue rather than a code-execution or data-exposure flaw.

Recommended defensive actions

• Upgrade affected Macs to macOS 10.12.2 or later.
• Inventory devices running macOS 10.12.1 or earlier and prioritize them for remediation.
• Limit installation and execution of untrusted apps on managed endpoints.
• Review Apple advisory HT207423 and the NVD record for the affected version scope and update guidance.

Evidence notes

The summary is based on the supplied NVD record and Apple vendor reference. NVD lists the vulnerable CPE as macOS X up to version 10.12.1 and assigns CWE-476 with a CVSS vector indicating local access, required user interaction, and high availability impact. The Apple vendor advisory referenced in the corpus is https://support.apple.com/HT207423.

Official resources