VYPR
← All advisories
Low severity3.3NVD Advisory· Published Sep 18, 2016· Updated May 6, 2026

CVE-2016-4620

CVE-2016-4620

Description

In iOS prior to 10, the Sandbox Profiles component does not restrict access to directory metadata for SMS draft directories, allowing a crafted app to discover text-message recipients.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In iOS prior to 10, the Sandbox Profiles component does not restrict access to directory metadata for SMS draft directories, allowing a crafted app to discover text-message recipients.

Vulnerability

The Sandbox Profiles component in Apple iOS before 10 does not properly restrict access to directory metadata for SMS draft directories. This allows a crafted app to discover text-message recipients. Affected versions: iOS prior to 10.

Exploitation

An attacker would need to install a crafted app on the device. The app can then directly query the directory metadata of the SMS draft directories due to insufficient sandbox restrictions. No additional authentication or user interaction beyond installing the app is required.

Impact

Successful exploitation results in disclosure of text-message recipients (contact information) to the attacker's app. This is a confidentiality impact on SMS communication metadata.

Mitigation

The vulnerability is fixed in iOS 10, which was released on September 13, 2016 [1]. Users should update their devices to iOS 10 or later. No workarounds were provided for earlier versions.

References
  1. About the security content of iOS 10 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.