Unrated severityNVD Advisory· Published Oct 23, 2015· Updated May 6, 2026

CVE-2015-6978

Description

FontParser in Apple iOS before 9.1 and OS X before 10.11.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file, a different vulnerability than CVE-2015-6976, CVE-2015-6977, CVE-2015-6990, CVE-2015-6991, CVE-2015-6993, CVE-2015-7008, CVE-2015-7009, CVE-2015-7010, and CVE-2015-7018.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in Apple's FontParser allows remote code execution via a crafted font file, affecting iOS before 9.1 and OS X before 10.11.1.

Vulnerability

FontParser in Apple iOS before 9.1 and OS X before 10.11.1 contains a memory corruption vulnerability when processing crafted font files. The issue is triggered during parsing of fonts embedded in PDFs, as described in the ZDI advisory [4]. Affected versions: iOS 9.0 and earlier, OS X 10.11.0 and earlier, and possibly watchOS prior to 2.1 [3].

Exploitation

An attacker can exploit this vulnerability by convincing a user to visit a maliciously crafted website or open a malicious file containing a specially crafted font. User interaction is required (e.g., visiting a page or opening a file) [4]. The specific flaw exists within the parsing of fonts embedded in PDFs, leading to an out-of-bounds access [4].

Impact

Successful exploitation allows remote attackers to execute arbitrary code in the context of the current process (e.g., Safari or other applications using FontParser) or cause a denial of service via memory corruption [1][2][4]. The attacker gains the ability to run arbitrary code with the privileges of the user.

Mitigation

Apple addressed this vulnerability in iOS 9.1 [2], OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks [1]. watchOS 2.1 also includes a fix [3]. Users should update to the latest available versions. No workarounds are documented.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=9.0.2
Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.11.0
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <=2.0
Apple Inc./iOSllm-fuzzy
Range: <9.1
Apple Inc./OS Xllm-fuzzy
Range: <10.11.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2015/Dec/msg00002.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Oct/msg00002.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2015/Oct/msg00005.htmlnvdVendor Advisory
support.apple.com/HT205370nvdVendor Advisory
support.apple.com/HT205375nvdVendor Advisory
support.apple.com/HT205641nvdVendor Advisory
www.securityfocus.com/bid/77263nvd
www.securitytracker.com/id/1033929nvd
www.zerodayinitiative.com/advisories/ZDI-15-533nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000