Unrated severityNVD Advisory· Published Jul 3, 2015· Updated May 6, 2026

CVE-2015-3687

Description

CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3686, CVE-2015-3688, and CVE-2015-3689.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CoreText memory corruption vulnerability in Apple iOS before 8.4 and OS X before 10.10.4 allows remote code execution via crafted text file.

Vulnerability

A memory corruption vulnerability exists in CoreText, the text layout and rendering engine in Apple iOS and OS X. The bug is triggered when processing a specially crafted text file. Affected versions are iOS before 8.4 and OS X before 10.10.4. This issue is one of several CoreText memory corruption flaws, as described in the iTunes 12.3 security content [3].

Exploitation

An attacker can exploit this vulnerability remotely by delivering a malicious text file to a target user. The user must open the crafted file in an application that uses CoreText for text rendering. No authentication is required, but user interaction (such as opening a file or viewing a webpage containing the text) is needed [3].

Impact

Successful exploitation could allow arbitrary code execution or cause a denial of service (application termination). Code execution would occur in the context of the application using CoreText, potentially leading to full system compromise depending on the application's privileges [3].

Mitigation

Apple addressed this vulnerability in iOS 8.4 and OS X Yosemite 10.10.4, both released in June 2015. The fix is also included in iTunes 12.3 for Windows. Users should update their devices to the latest available versions. No workarounds are documented [1][2][3].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./iTunes
cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*
Range: <=12.2
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=8.3
Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.10.3
Apple Inc./iOSllm-fuzzy
Range: <8.4
Apple Inc./OS Xllm-fuzzy
Range: <10.10.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2015/Jun/msg00001.htmlnvdPatchVendor Advisory
lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlnvdPatchVendor Advisory
lists.apple.com/archives/security-announce/2015/Sep/msg00003.htmlnvdPatchVendor Advisory
support.apple.com/kb/HT204941nvdVendor Advisory
support.apple.com/kb/HT204942nvdVendor Advisory
support.apple.com/HT205221nvdVendor Advisory
www.securityfocus.com/bid/75491nvd
www.securitytracker.com/id/1032760nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000