PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-2354 Apple CVE debrief

CVE-2017-2354 is a WebKit memory-corruption issue in Apple products that can be triggered by a crafted website. NVD describes the impact as arbitrary code execution or a denial of service via application crash. The affected versions listed in the source corpus are iOS before 10.2.1, Safari before 10.0.3, iCloud before 6.1.1, iTunes before 12.5.5, and tvOS before 10.1.1; NVD also lists WebKitGTK+ before 2.16.3.

Vendor
Apple
Product
CVE-2017-2354
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Security and patch-management teams responsible for Apple mobile devices, Macs running Safari, Windows systems using Apple iCloud or iTunes, and any environment that embeds WebKit/WebKitGTK+. End users who browse untrusted websites should also prioritize updates.

Technical summary

The NVD record maps this issue to CWE-119 and describes a remote, user-interaction-dependent memory corruption in WebKit. The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network reachability, no privileges required, and high potential impact if a user visits a crafted website. The source corpus attributes the issue to Apple products and lists fixed-version thresholds for iOS, Safari, iCloud, iTunes, tvOS, and WebKitGTK+.

Defensive priority

High. Although user interaction is required, the attack is network-deliverable and the stated impact includes remote code execution. The issue spans multiple Apple platforms and browser-related components, so patching should be prioritized across exposed and actively used systems.

Recommended defensive actions

  • Update affected Apple products to versions at or above the fixed releases listed in the source corpus: iOS 10.2.1, Safari 10.0.3, iCloud 6.1.1, iTunes 12.5.5, and tvOS 10.1.1.
  • Review the linked Apple vendor advisories for product-specific remediation guidance and any additional impacted components.
  • Prioritize patching systems that regularly browse untrusted web content or depend on WebKit-based rendering.
  • Verify deployment and version compliance across managed devices and user endpoints.
  • Treat any unpatched legacy systems as higher risk and isolate them until remediation is complete.

Evidence notes

Evidence is limited to the supplied NVD record and linked Apple advisory references. NVD explicitly states a crafted-website trigger, memory corruption in WebKit, potential code execution or denial of service, the CVSS 3.0 vector, CWE-119, and the affected version cutoffs. The corpus provides advisory URLs but not the full body text of the Apple advisories.

Official resources

Publicly disclosed in the supplied NVD record on 2017-02-20, with the record later modified on 2026-05-13. Use the listed Apple advisories and NVD entry as the authoritative sources for remediation and version guidance.