CVE-2016-4657

HIGH KEV RANSOMWARE

iPhone OS < 9.3.5 - Remote Code Execution via WebKit Memory Corruption

Title source: llm

Exploitation Summary

CVE-2016-4657 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 24, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Metasploit, qwertyoruiop, iDaN5x.

AI-analyzed exploit summary This Metasploit module exploits a use-after-free (UAF) vulnerability in WebKit's JavaScriptCore library (CVE-2016-4657) to achieve remote code execution on iOS devices. It leverages memory corruption techniques to bypass mitigations and execute arbitrary payloads.

Description

WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteios

https://www.exploit-db.com/exploits/44836

View Code ZIP pw:eip

This Metasploit module exploits a use-after-free (UAF) vulnerability in WebKit's JavaScriptCore library (CVE-2016-4657) to achieve remote code execution on iOS devices. It leverages memory corruption techniques to bypass mitigations and execute arbitrary payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: WebKit (JavaScriptCore) on Apple iOS

No auth needed

Prerequisites: Target must visit a malicious webpage or open a crafted link · Vulnerable version of WebKit on iOS

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by qwertyoruiop · htmldoshardware

https://www.exploit-db.com/exploits/44213

View Code ZIP pw:eip

This exploit leverages a type confusion vulnerability in the JavaScript engine of the Nintendo Switch browser to achieve arbitrary memory read/write. It uses garbage collection manipulation and array spraying to corrupt memory and gain control over object structures.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Nintendo Switch Browser (WebKit-based)

No auth needed

Prerequisites: Victim must visit a malicious webpage using the Nintendo Switch browser

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 56 stars

by iDaN5x · client-side

https://github.com/iDaN5x/Switcheroo

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2016-4657, targeting a memory corruption vulnerability in the Nintendo Switch's JavaScript engine. The exploit leverages a use-after-free (UAF) condition to achieve arbitrary memory read/write, demonstrating a potential jailbreak path.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Nintendo Switch (WebKit/JavaScript engine)

No auth needed

Prerequisites: Access to a vulnerable Nintendo Switch browser environment · Ability to execute arbitrary JavaScript

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP 9 stars

by viai957 · client-side

https://github.com/viai957/webkit-vulnerability

View Code ZIP pw:eip

This repository contains a detailed technical writeup on CVE-2016-4622, a JavaScriptCore vulnerability in WebKit. It includes an in-depth analysis of the bug, exploitation techniques, and engine internals, but does not provide functional exploit code.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: WebKit (JavaScriptCore) in Safari 9.1.1 and iOS 9.3

No auth needed

Prerequisites: Victim interaction (clicking a malicious link) · Vulnerable WebKit version

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB 3 stars

by Mimoja · client-side

https://github.com/Mimoja/CVE-2016-4657-NintendoSwitch

View Code ZIP pw:eip

The repository contains only a minimal README with no exploit code or technical details. It mentions CVE-2016-4657 for Nintendo Switch but provides no functional PoC or analysis.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Nintendo Switch (unspecified version)

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8

Core References

Broken Link x_refsource_misc

https://blog.lookout.com/blog/2016/08/25/trident-pegasus/

Exploit x_refsource_misc

https://www.youtube.com/watch?v=xkdPjbaLngE

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44836/

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/92653

Release Notes, Vendor Advisory x_refsource_confirm

https://support.apple.com/HT207107

Mailing List, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/Aug/msg00000.html

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1036694

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4657

Scores

CVSS v3 8.8

EPSS 0.7943

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-05-24

VulnCheck KEV 2016-08-15

InTheWild.io 2016-08-15

ENISA EUVD EUVD-2016-5643

Ransomware Use Confirmed

CWE

CWE-787

Status published

Products (1)

apple/iphone_os < 9.3.5

Published Aug 25, 2016

KEV Added May 24, 2022

Tracked Since Feb 18, 2026