PatchSiren cyber security CVE debrief

CVE-2017-2374 Apple CVE debrief

CVE-2017-2374 is a memory corruption flaw in the Projects component of Apple GarageBand versions before 10.1.6. According to the NVD record, a crafted GarageBand project file can trigger application crash or arbitrary code execution, so updating to a fixed release is the primary mitigation.

Vendor: Apple
Product: CVE-2017-2374
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-20
Original CVE updated: 2026-05-13
Advisory published: 2017-02-20
Advisory updated: 2026-05-13

Who should care

Organizations and users who open or process GarageBand project files, especially on systems running GarageBand 10.1.5 or earlier. Security teams should care most where untrusted project files may be exchanged or imported.

Technical summary

The NVD entry maps this issue to CWE-119 and lists GarageBand through 10.1.5 as vulnerable. The CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating user interaction is required to trigger the flaw. The record describes exploitation via a crafted GarageBand project file affecting the Projects component, with outcomes ranging from application crash to arbitrary code execution.

Defensive priority

High for systems that still run affected GarageBand versions or routinely handle untrusted project files. Because the condition is triggered by user interaction and impacts confidentiality, integrity, and availability, patching should be prioritized where GarageBand is present.

Recommended defensive actions

Upgrade GarageBand to 10.1.6 or later on all affected macOS systems.
Avoid opening GarageBand project files from untrusted or unexpected sources until systems are patched.
Use application and OS update management to verify no hosts remain on GarageBand 10.1.5 or earlier.
Treat crashes during GarageBand project loading as potential security events and investigate file provenance.
Where feasible, limit receipt of project files from external parties and apply attachment filtering or approval workflows.

Evidence notes

Source corpus indicates Apple GarageBand before 10.1.6 is affected. The NVD record lists the vulnerable CPE as apple:garageband through version 10.1.5, weakness CWE-119, and CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The description says remote attackers may execute code or cause denial of service via a crafted project file, while the CVSS vector reflects required user interaction; this summary preserves both facts without resolving that discrepancy beyond the supplied record.

Official resources

CVE-2017-2374 CVE record
CVE.org
CVE-2017-2374 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed on 2017-02-20, based on the CVE published date supplied in the record.