CVE-2017-2446

HIGH

Apple <10.3 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-2446. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages a WebKit JavaScript engine flaw where strict mode enforcement inconsistently allows Function.caller access, enabling direct calls to sensitive native functions like arrayProtoPrivateFuncAppendMemcpy. The PoC demonstrates arbitrary memory manipulation via crafted array operations.

Description

An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · htmldosmultiple
https://www.exploit-db.com/exploits/41742

This exploit leverages a WebKit JavaScript engine flaw where strict mode enforcement inconsistently allows Function.caller access, enabling direct calls to sensitive native functions like arrayProtoPrivateFuncAppendMemcpy. The PoC demonstrates arbitrary memory manipulation via crafted array operations.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WebKit (Safari) versions affected by CVE-2017-2446
No auth needed
Prerequisites: Victim must visit a malicious webpage using vulnerable WebKit browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · htmldosmultiple
https://www.exploit-db.com/exploits/41741

This exploit demonstrates a type confusion vulnerability in JavaScript's Intl.DateTimeFormat.format function, allowing arbitrary memory access via a bound function manipulation. The PoC triggers the vulnerability by overriding valueOf and using Function.caller to obtain an unbound function, which is then called with an arbitrary address.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JavaScript engines (e.g., V8, SpiderMonkey) in browsers or Node.js
No auth needed
Prerequisites: Browser or Node.js environment with vulnerable JavaScript engine
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41741/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038137
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41742/
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207601
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97130
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201706-15
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207600
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207617

Scores

CVSS v3 8.8
EPSS 0.2509
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (3)
apple/iphone_os < 10.2.1
apple/safari < 10.0.3
apple/tvos < 10.1.1
Published Apr 02, 2017
Tracked Since Feb 18, 2026