Medium severity5.9NVD Advisory· Published Mar 24, 2016· Updated May 6, 2026

CVE-2016-1788

Description

Messages in Apple iOS before 9.3, OS X before 10.11.4, and watchOS before 2.2 does not properly implement a cryptographic protection mechanism, which allows remote attackers to read message attachments via vectors related to duplicate messages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cryptographic protection flaw in Apple Messages on iOS, OS X, and watchOS allowed remote attackers to read message attachments via duplicate message vectors.

Vulnerability

The Messages application on Apple iOS before 9.3, OS X before 10.11.4, and watchOS before 2.2 fails to properly implement a cryptographic protection mechanism. This allows remote attackers to read message attachments via vectors related to duplicate messages. The issue affects all devices running the vulnerable operating system versions. [1][2][3]

Exploitation

An attacker can exploit this vulnerability by sending specially crafted duplicate messages to a target user. No authentication is required beyond the ability to send messages to the target. The attacker does not need physical access or user interaction beyond the target receiving the messages. The exact sequence involves exploiting the duplicate message handling to bypass cryptographic protections on attachments.

Impact

Successful exploitation allows a remote attacker to read message attachments that were intended to be cryptographically protected. This leads to unauthorized disclosure of potentially sensitive information contained in attachments, compromising confidentiality. The attacker gains access to the content of attachments without proper authorization.

Mitigation

Apple addressed this vulnerability in iOS 9.3, OS X El Capitan 10.11.4, and watchOS 2.2, released on March 21, 2016. Users should update their devices to these versions or later. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1][2][3]

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=9.2.1
Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.11.3
Apple Inc./watchOS2 versions
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*range: <=2.1
- (no CPE)range: <2.2
Apple Inc./iOSllm-fuzzy
Range: <9.3
Apple Inc./OS Xllm-fuzzy
Range: <10.11.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2016/Mar/msg00001.htmlnvdVendor Advisory
lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlnvdVendor Advisory
support.apple.com/HT206166nvdVendor Advisory
support.apple.com/HT206167nvdVendor Advisory
support.apple.com/HT206168nvdVendor Advisory
www.securitytracker.com/id/1035353nvd

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000