PatchSiren cyber security CVE debrief

CVE-2016-7636 Apple CVE debrief

CVE-2016-7636 is an Apple Security component issue affecting iOS, macOS, and watchOS. According to the CVE description, a man-in-the-middle attacker can abuse OCSP responder URL handling to trigger a denial of service through an application crash. The supplied NVD record rates this as a medium-severity availability issue with no confidentiality or integrity impact.

Vendor: Apple
Product: CVE-2016-7636
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-20
Original CVE updated: 2026-05-13
Advisory published: 2017-02-20
Advisory updated: 2026-05-13

Who should care

Apple device administrators, mobile device management teams, endpoint security teams, and network teams responsible for traffic paths that could influence outbound certificate-validation or OCSP requests.

Technical summary

The supplied record describes a network-reachable issue with no privileges and no user interaction required, but with high attack complexity. NVD maps it to CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-20. The vulnerability affects Apple's Security component and is described as involving OCSP responder URLs, where a MITM attacker can induce an application crash on affected Apple operating systems.

Defensive priority

Medium priority. Patch during routine Apple maintenance windows, with extra attention for fleets that depend on device availability. The supplied data indicates a crash/DoS condition rather than code execution or data exposure.

Recommended defensive actions

Update affected Apple systems beyond the vulnerable versions listed in the CVE description.
Prioritize iOS, macOS, and watchOS devices that are externally exposed or frequently used on untrusted networks.
Review any network paths or security controls that could interfere with certificate validation traffic and ensure they are not introducing unintended instability.
Track Apple security advisories linked from the NVD record for platform-specific remediation guidance.
Confirm remediation by verifying device OS versions are newer than the affected ranges in the CVE record.

Evidence notes

The CVE description states that iOS before 10.2, macOS before 10.12.2, and watchOS before 3.1.3 are affected, and that the issue is in Apple's Security component with OCSP responder URL vectors. The supplied NVD record classifies the weakness as CWE-20 and gives CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The same NVD record also includes CPE criteria listing iPhone OS through 10.1.1, macOS through 10.12.1, and watchOS through 2.2.2; this is a slight boundary discrepancy versus the prose description, so both are preserved here as supplied. The record metadata shows a later modified timestamp (2026-05-13), which should not be treated as the vulnerability's disclosure date.

Official resources

CVE-2016-7636 CVE record
CVE.org
CVE-2016-7636 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in the CVE record on 2017-02-20, with Apple advisory links and NVD metadata available in the supplied record.