CVE-2016-7645 Apple CVE debrief

Who should care

Users and administrators of Apple devices and software running iOS, Safari, iCloud, or iTunes versions below the fixed releases, especially systems that regularly browse untrusted or externally supplied web content.

Technical summary

NVD classifies this issue as CWE-119 and gives it a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerable component is WebKit, and the attack requires user interaction with a crafted website, which can lead to memory corruption, application crash, or arbitrary code execution.

Defensive priority

High — network-reachable, user-assisted web exposure with high confidentiality, integrity, and availability impact across multiple Apple products.

Recommended defensive actions

• Update affected Apple products to the fixed versions or later: iOS 10.2, Safari 10.0.2, iCloud 6.1, and iTunes 12.5.4.
• Prioritize patching systems that are used to browse the web or open untrusted content.
• Use the Apple vendor advisory links in the record to confirm the relevant product-specific fixes.
• Validate fleet exposure by comparing installed versions against the NVD CPE ranges in the supplied record.

Evidence notes

The supplied NVD record identifies the vulnerable Apple CPEs and lists the affected version ceilings for iPhone OS, Safari, iCloud, and iTunes. It also records the WebKit component, a CWE-119 weakness, and the CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Apple support links are included as vendor advisories in the source corpus, while the record shows no supplied KEV listing or ransomware association. CVE published time is 2017-02-20 and the NVD record was last modified on 2026-05-13.

Official resources