CVE-2016-7654 Apple CVE debrief

Who should care

Apple device and endpoint administrators, security teams managing iOS fleets, and users or support teams running affected Safari, iCloud, or iTunes versions on Apple platforms.

Technical summary

The NVD record classifies the weakness as CWE-119 and gives a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is described as WebKit memory corruption reachable via a crafted website, enabling remote code execution or application crash. The supplied record describes affected releases as iOS before 10.2, Safari before 10.0.2, iCloud before 6.1, and iTunes before 12.5.4; the CPE criteria in the same record enumerate vulnerable versions up to iPhone OS 10.1.1, Safari 10.0.1, iCloud 6.0.1, and iTunes 12.5.3.

Defensive priority

High. Internet-reachable, user-triggered browser-content flaws with code execution potential should be patched promptly, especially on managed Apple devices still on affected versions.

Recommended defensive actions

• Update iOS, Safari, iCloud, and iTunes on affected systems to the fixed releases referenced by the record (iOS 10.2, Safari 10.0.2, iCloud 6.1, and iTunes 12.5.4 or later).
• Inventory Apple endpoints and confirm no devices remain on versions covered by the vulnerable CPE criteria in the record.
• Prioritize remediation for systems that regularly browse untrusted web content or support higher-risk user workflows.
• Use the linked Apple vendor advisories and NVD record to validate the version scope before and after patching.

Evidence notes

Evidence is drawn from the supplied NVD record, which includes Apple vendor advisory references, third-party advisories, the CVSS vector, and CPE criteria. The CVE was published on 2017-02-20 and last modified on 2026-05-13; use the publish date for disclosure timing and the modified date only as record-maintenance context. The record contains a version-scope discrepancy between the narrative description and the CPE criteria, so both are noted here.

Official resources