PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-2356 Apple CVE debrief

CVE-2017-2356 is an Apple WebKit memory corruption issue reported for multiple Apple products. According to the CVE/NVD record, a crafted web site could trigger arbitrary code execution or a denial of service, with affected versions including iOS before 10.2.1, Safari before 10.0.3, iCloud before 6.1.1, iTunes before 12.5.5, and tvOS before 10.1.1. The vulnerability was published on 2017-02-20 and is rated HIGH (CVSS 8.8).

Vendor
Apple
Product
CVE-2017-2356
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Security teams managing Apple devices and endpoints, browser administrators, and anyone responsible for patching Safari/WebKit-dependent systems should care most. This also matters for organizations that allow users to browse the web on managed iPhone, iPad, Apple TV, macOS/iTunes-connected Windows systems, or other Apple software that embeds WebKit.

Technical summary

The supplied NVD record describes a WebKit memory corruption flaw (CWE-119) reachable via a crafted web site. The attack vector is network-based and requires user interaction, but no privileges. Impact is high for confidentiality, integrity, and availability. The affected product/version ranges listed in the record are: iOS before 10.2.1; Safari before 10.0.3; iCloud before 6.1.1; iTunes before 12.5.5; and tvOS before 10.1.1. The record also includes a vulnerable WebKitGTK+ range, ending before 2.16.3.

Defensive priority

High. This is a remotely reachable browser/WebKit issue with code-execution potential and a high CVSS score, so it should be patched promptly wherever the affected Apple software is still in use.

Recommended defensive actions

  • Update iOS devices to 10.2.1 or later.
  • Update Safari to 10.0.3 or later on affected systems.
  • Update iCloud to 6.1.1 or later where applicable.
  • Update iTunes to 12.5.5 or later on affected Windows installations.
  • Update tvOS to 10.1.1 or later.
  • Inventory systems and verify installed versions before and after remediation.
  • Prioritize patching for internet-facing browsers and user endpoints that routinely open untrusted web content.
  • Use vendor advisories and official release notes to confirm the exact fixed builds for your platform mix.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and the official links listed in the record. The key facts used here are the CVE description, NVD CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), CWE-119 mapping, affected version ceilings, and the vendor-advisory references attached to the NVD entry. No exploit details or unsupported remediation claims are included.

Official resources

CVE published 2017-02-20. Use that published date for timing context; later NVD modifications do not change the original disclosure date.