PatchSiren cyber security CVE debrief
CVE-2017-2369 Apple CVE debrief
CVE-2017-2369 is a high-severity WebKit memory-corruption issue publicly disclosed on 2017-02-20. According to the CVE description and NVD metadata, a crafted website could let a remote attacker trigger application crash or arbitrary code execution on affected Apple products, with NVD also listing WebKitGTK+ as vulnerable. Because the attack is network-reachable and requires only user interaction with malicious web content, patching should be treated as urgent for exposed browsers and any software that embeds WebKit.
- Vendor
- Apple
- Product
- CVE-2017-2369
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-20
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-20
- Advisory updated
- 2026-05-13
Who should care
Administrators responsible for iOS, Safari, tvOS, and any software embedding WebKit should care most, especially teams managing internet-facing browsers, managed endpoints, kiosks, and WebKitGTK+-based Linux deployments.
Technical summary
NVD classifies the issue as CWE-119 with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a network-delivered flaw that depends on user interaction but can still have full impact. The vulnerable ranges listed by NVD are iOS before 10.2.1, Safari before 10.0.3, tvOS before 10.1.1, and WebKitGTK+ before 2.16.3.
Defensive priority
High. The flaw is reachable through a crafted website, does not require privileges, and can lead to code execution or denial of service. NVD also includes a third-party exploit reference, which increases the need to accelerate remediation even though no exploit details are provided here.
Recommended defensive actions
- Update iOS to 10.2.1 or later, Safari to 10.0.3 or later, tvOS to 10.1.1 or later, and WebKitGTK+ to 2.16.3 or later, or any newer vendor-fixed release.
- Prioritize devices and services that browse untrusted web content or embed WebKit, including managed endpoints, kiosks, and browser-based application shells.
- Verify patch coverage by comparing installed versions against the vulnerable ranges listed in NVD.
- If immediate patching is not possible, reduce exposure to untrusted websites and limit use of affected browsers or webviews until updates are applied.
- Monitor for unusual browser or webview crashes and follow the linked Apple vendor advisories for product-specific remediation guidance.
Evidence notes
CVE publishedAt is 2017-02-20, and the NVD record was modified on 2026-05-13; the original disclosure date is the relevant timing context. NVD metadata lists affected CPE ranges, CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and CWE-119. The NVD reference set includes Apple vendor advisories and a third-party exploit reference, but this debrief does not rely on exploit details.
Official resources
-
CVE-2017-2369 CVE record
CVE.org
-
CVE-2017-2369 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Publicly disclosed on 2017-02-20. The CVE record was later modified on 2026-05-13, but that does not change the original disclosure date.