Cyber Resilience

CVE-2016-4656

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 August 2016

Published
25 August 2016
Modified
21 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6533 98.5th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-4656 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability tracked as CVE-2016-4656 is an out-of-bounds write (CWE-787) memory corruption flaw in the kernel of Apple iOS versions prior to 9.3.5. It received a CVSS v3.1 base score of 7.8 with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting local attack requirements but high impact on confidentiality, integrity, and availability when successfully triggered.

An attacker can exploit the issue by supplying a crafted application that the victim must install and run. Successful exploitation grants arbitrary code execution in a privileged kernel context or triggers a denial of service through memory corruption; no elevated privileges are required beyond the ability to execute the malicious app on the device.

Apple addressed the flaw in iOS 9.3.5, as detailed in the vendor’s security announcement and support document HT207107. Public references also link the vulnerability to the Trident/Pegasus spyware campaign, confirming real-world exploitation against targeted iOS devices prior to the patch release.

EU & UK References

Vulnerability details

The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 9.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the out-of-bounds write memory corruption in the iOS kernel by enforcing memory protections that block arbitrary code execution or DoS from crafted apps.

prevent

Requires timely application of the iOS 9.3.5 patch that eliminates CVE-2016-4656 before exploitation by malicious apps.

prevent

Restricts installation and execution of user-supplied apps that are the required delivery mechanism for triggering the kernel flaw.

References