CVE-2016-4610

Vulnerability

A memory corruption vulnerability exists in the libxslt library as used in Apple iOS prior to 9.3.3, OS X prior to 10.11.6, iTunes prior to 12.4.2 on Windows, iCloud prior to 5.2.1 on Windows, tvOS prior to 9.2.2, and watchOS prior to 2.2.2 [1][2][3][4]. The official description notes unknown vectors, and the issue is distinct from related CVEs (CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612). The Apple security advisory for tvOS [3] mentions a memory corruption issue addressed through improved memory handling, which is consistent with the root cause of this vulnerability.

Exploitation

An attacker can exploit this vulnerability remotely by delivering a specially crafted input to the affected libxslt parser. The attack does not require authentication or user interaction beyond triggering processing of malicious content (e.g., visiting a web page or opening a crafted document that uses XSLT transformations). The exact network position required is not specified, but remote exploitation is possible. No proof-of-concept or detailed exploitation steps have been publicly disclosed by Apple.

Impact

Successful exploitation can lead to memory corruption, potentially resulting in arbitrary code execution with the privileges of the affected process or a denial of service. On iOS and OS X, this could allow a remote attacker to execute arbitrary code or cause a system crash [1][4]. The impact is rated critical with a CVSS v3 base score of 9.8.

Mitigation

Apple released fixes in the following versions on July 18, 2016: iOS 9.3.3, OS X 10.11.6, iTunes 12.4.2 for Windows, iCloud 5.2.1 for Windows, tvOS 9.2.2, and watchOS 2.2.2 [1][2][3][4]. Users should update their software to the latest available version. No workaround is documented. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.