CVE-2016-7617

HIGH

macOS < 10.12.2 - Remote Code Execution or Denial of Service via Bluetooth Type Confusion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-7617. PoCs published by Google Security Research, Brandon Azad.

AI-analyzed exploit summary This PoC exploits a type confusion vulnerability in macOS IOKit by manipulating the IOUserClientClass property of AppleBroadcomBluetoothHostController, allowing an unprivileged user to attach an arbitrary IOUserClient (e.g., IGAccelSharedUserClient) to the service, leading to invalid virtual calls and potential kernel code execution.

Description

An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (type confusion) via a crafted app.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · cdosmacos
https://www.exploit-db.com/exploits/40952

This PoC exploits a type confusion vulnerability in macOS IOKit by manipulating the IOUserClientClass property of AppleBroadcomBluetoothHostController, allowing an unprivileged user to attach an arbitrary IOUserClient (e.g., IGAccelSharedUserClient) to the service, leading to invalid virtual calls and potential kernel code execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: macOS Sierra 10.12.1 (16B2555)
No auth needed
Prerequisites: Access to a vulnerable macOS system with AppleBroadcomBluetoothHostController
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Brandon Azad · localmacos
https://www.exploit-db.com/exploits/44237

physmem is a physical memory inspection tool and local privilege escalation exploit targeting macOS up to 10.12.1. It exploits CVE-2016-1825 or CVE-2016-7617, both logic bugs in IOKit registry properties, allowing arbitrary physical memory read/write and root shell execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: macOS up to 10.12.1
No auth needed
Prerequisites: Local access to a vulnerable macOS system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94903
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40952/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037469
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207423

Scores

CVSS v3 7.8
EPSS 0.0142
EPSS Percentile 81.1%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-704
Status published
Products (1)
apple/mac_os_x < 10.12.1
Published Feb 20, 2017
Tracked Since Feb 18, 2026