Unrated severityNVD Advisory· Published Sep 18, 2015· Updated May 6, 2026

CVE-2015-5814

Description

WebKit, as used in JavaScriptCore in Apple iOS before 9 and iTunes before 12.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-09-16-1 and APPLE-SA-2015-09-16-3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in WebKit's JavaScriptCore allows remote attackers to execute arbitrary code or cause a denial of service via a crafted website.

Vulnerability

A memory corruption issue exists in WebKit's JavaScriptCore, as used in Apple iOS before 9 and iTunes before 12.3. The vulnerability is triggered when processing maliciously crafted web content, leading to memory corruption. Affected versions: iOS versions prior to 9 and iTunes versions prior to 12.3 [1][3].

Exploitation

An attacker can exploit this vulnerability by enticing a user to visit a crafted website. No authentication or special network position is required; the attack is remote. The crafted website causes memory corruption in the JavaScriptCore engine, which can be leveraged for arbitrary code execution.

Impact

Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the affected application (e.g., MobileSafari on iOS or iTunes on Windows) or cause a denial of service via application crash. The impact includes full compromise of the application's sandbox and potential system-level access depending on the environment.

Mitigation

Apple addressed this vulnerability in iOS 9 [1] and iTunes 12.3 [3]. Users should update to these versions or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./iTunes2 versions
cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:itunes:*:*:*:*:*:*:*:*range: <=12.2
- (no CPE)range: <12.3
Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <=8.0.8
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=8.4.1
Apple Inc./iOSllm-fuzzy
Range: <9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2015/Sep/msg00001.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Sep/msg00003.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Sep/msg00007.htmlnvdVendor Advisory
support.apple.com/HT205212nvdVendor Advisory
support.apple.com/HT205221nvdVendor Advisory
support.apple.com/HT205265nvdVendor Advisory
lists.opensuse.org/opensuse-updates/2016-03/msg00054.htmlnvd
www.securityfocus.com/bid/76763nvd
www.securitytracker.com/id/1033609nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000