CVE-2016-4669

HIGH

Safari Webkit JIT Exploit for iOS 7.1.2

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-4669. PoCs published by Google Security Research, i-o-s.

AI-analyzed exploit summary This exploit targets a vulnerability in the XNU kernel's MIG (Mach Interface Generator) code, specifically in the `mach_ports_register` function. The issue arises from a mismatch between the `init_port_set.count` and `init_port_setCnt` values, leading to out-of-bounds memory access and potential use-after-free (UaF) conditions.

Description

An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (MIG code mishandling and system crash) via unspecified vectors.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdosmultiple
https://www.exploit-db.com/exploits/40654

This exploit targets a vulnerability in the XNU kernel's MIG (Mach Interface Generator) code, specifically in the `mach_ports_register` function. The issue arises from a mismatch between the `init_port_set.count` and `init_port_setCnt` values, leading to out-of-bounds memory access and potential use-after-free (UaF) conditions.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apple XNU kernel (OS X 10.11.6)
No auth needed
Prerequisites: Access to a vulnerable macOS system (10.11.6)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by i-o-s · poc
https://github.com/i-o-s/CVE-2016-4669

This repository contains a functional exploit PoC for CVE-2016-4669, targeting a Mach IPC vulnerability in iOS. The exploit attempts to achieve local privilege escalation (LPE) by manipulating dangling ports and reusing root-owned ports, though it is noted to be unstable and crash-prone.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: iOS (specific version not explicitly stated, but likely iOS 10.x)
No auth needed
Prerequisites: Local access to the target device · Compilation on a macOS/iOS environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207271
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037086
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93849
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207269
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207270
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207275
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40654/

Scores

CVSS v3 7.8
EPSS 0.0373
EPSS Percentile 88.4%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (4)
apple/iphone_os < 10.1
apple/mac_os_x < 10.12.1
apple/tvos < 10.0.1
apple/watchos < 3.1
Published Feb 20, 2017
Tracked Since Feb 18, 2026