PatchSiren cyber security CVE debrief
CVE-2017-2366 Apple CVE debrief
CVE-2017-2366 is a high-severity Apple WebKit memory-corruption issue that can be triggered by a crafted website. The CVE description says it may allow remote code execution or cause a denial of service through application crash, affecting iOS, Safari, iCloud, and iTunes versions released before the fixed updates named in the record.
- Vendor
- Apple
- Product
- CVE-2017-2366
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-20
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-20
- Advisory updated
- 2026-05-13
Who should care
Organizations and individuals running Apple software in the affected ranges should care, especially fleets with Safari-based browsing exposure or managed iOS/iCloud/iTunes deployments. Security teams should prioritize systems that may visit untrusted web content, since the trigger path is remote and requires only user interaction with a crafted website.
Technical summary
NVD classifies the weakness as CWE-119 and assigns CVSS 3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerable component is WebKit, and the attack surface is network-based through a crafted website. Affected versions in the CVE record are iOS before 10.2.1, Safari before 10.0.3, iCloud before 6.1.1, and iTunes before 12.5.5; the NVD CPE data maps these to iOS 10.2.0 and earlier, Safari 10.0.2 and earlier, iCloud 6.1.0 and earlier, and iTunes 12.5.4 and earlier.
Defensive priority
High. The combination of remote delivery, no privileges required, user interaction, and potential code execution makes this a priority patch item for exposed Apple endpoints and managed user devices.
Recommended defensive actions
- Update iOS to 10.2.1 or later on affected devices.
- Update Safari to 10.0.3 or later where applicable.
- Update iCloud to 6.1.1 or later on affected systems.
- Update iTunes to 12.5.5 or later on affected systems.
- Review Apple vendor advisories and related release notes linked from the CVE record for product-specific remediation guidance.
- Prioritize devices likely to browse untrusted websites or open web content in WebKit-based components.
- Verify patch compliance across managed Apple fleets and confirm vulnerable versions are no longer present.
Evidence notes
This debrief is based on the NVD CVE record and the Apple-linked vendor/reference entries in the supplied corpus. The original CVE publication time is 2017-02-20T08:59:05.213Z; the later 2026-05-13 modification timestamp reflects record maintenance, not the issue date. No exploit instructions are included; all versioning and impact statements come from the provided CVE description and NVD metadata.
Official resources
-
CVE-2017-2366 CVE record
CVE.org
-
CVE-2017-2366 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
- Source reference
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE record on 2017-02-20T08:59:05.213Z. The supplied source snapshot was later modified on 2026-05-13T00:24:29.033Z; this debrief uses the original CVE publish date for timing context.