PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-2368 Apple CVE debrief

CVE-2017-2368 is a medium-severity Apple iOS vulnerability in the Contacts component. According to the NVD record, iOS versions before 10.2.1 were affected and a crafted contact card could cause the Contacts app to crash, resulting in denial of service. The published CVSS vector indicates user interaction is required and the impact is availability-only.

Vendor
Apple
Product
CVE-2017-2368
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-20
Original CVE updated
2026-05-13
Advisory published
2017-02-20
Advisory updated
2026-05-13

Who should care

Organizations that manage or support Apple iPhone OS/iOS devices, especially fleets still running versions earlier than 10.2.1, should treat this as a patching and endpoint hygiene issue. Help desks and mobile device management teams should also care because the weakness can surface through user-handled contact data.

Technical summary

NVD lists the affected platform as Apple iPhone OS up to 10.2.0 and maps the issue to CWE-20 (Improper Input Validation). The CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which aligns with a local, user-triggered crash scenario rather than data theft or code execution. The issue is described as involving the Contacts component and a crafted contact card that can crash the application.

Defensive priority

Medium. The issue is not described as code execution or data exposure, but it can disrupt user workflow and indicates an input-handling weakness in a core iOS component. Priority should be higher for any environment that still has legacy iOS devices below 10.2.1.

Recommended defensive actions

  • Verify that all managed iOS devices are upgraded to version 10.2.1 or later.
  • Use MDM or fleet inventory to identify devices that may still be on affected versions before allowing them on corporate email or contact-sync services.
  • Educate users not to import or open unexpected contact cards from untrusted sources.
  • Review any mobile security controls that ingest or sync contact data to ensure suspicious vCard/contact content is filtered or isolated where possible.
  • Track Apple security advisories referenced by the NVD record when validating remediation status.

Evidence notes

This debrief is based on the supplied NVD CVE record and its referenced Apple security advisory link. The record states that iOS before 10.2.1 is affected, that the Contacts component can be crashed via a crafted contact card, and that the weakness is categorized as CWE-20. The CVSS vector supplied by NVD indicates a user-interaction-dependent availability impact.

Official resources

Publicly disclosed on 2017-02-20. The NVD record was later modified on 2026-05-13, but that does not change the original CVE disclosure date.