VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2015· Updated May 6, 2026

CVE-2015-5791

CVE-2015-5791

Description

WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes before 12.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-09-16-1 and APPLE-SA-2015-09-16-3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in WebKit (JavaScriptCore) in Apple iOS before 9 and iTunes before 12.3 allows remote code execution or denial of service via a crafted website.

Vulnerability

CVE-2015-5791 is a memory corruption vulnerability in WebKit, specifically in the JavaScriptCore component, as used in Apple iOS versions prior to 9 and iTunes versions prior to 12.3. The issue can be triggered by visiting a crafted malicious website, leading to memory corruption and application crash. The vulnerability is distinct from other WebKit CVEs addressed in the same security updates [1][2][3].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted website and enticing a user to visit it. No additional authentication or user interaction beyond visiting the site is required. The attack vector is remote, and the attacker does not need any prior access to the target device.

Impact

Successful exploitation allows a remote attacker to execute arbitrary code on the affected system or cause a denial of service (application crash). The attacker gains the ability to run code at the privilege level of the WebKit process, which could lead to full compromise of the device or application.

Mitigation

Apple addressed this vulnerability in iOS 9 (released September 16, 2015) and iTunes 12.3 (released September 16, 2015). Users should update to these versions or later. No workarounds are available for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. About the security content of iOS 9 - Apple Support
  2. About the security content of Safari 9 - Apple Support
  3. About the security content of iTunes 12.3 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5
  • Apple Inc./iTunes2 versions
    cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*range: <=12.2
    • (no CPE)range: <12.3
  • Apple Inc./Safari
    cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
    Range: <=8.0.8
  • Apple Inc./Iphone Os
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
    Range: <=8.4.1
  • Apple Inc./iOSllm-fuzzy
    Range: <9

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.