CVE-2017-7048

HIGH

Safari < 10.1.2 - Remote Code Execution via Memory Corruption

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-7048. PoCs published by Google Security Research.

AI-analyzed exploit summary This PoC demonstrates a use-after-free vulnerability in WebKit's accessibility features, triggered by manipulating DOM elements with specific attributes. The exploit causes a heap-use-after-free error, as confirmed by the AddressSanitizer (ASan) log.

Description

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · htmldosmultiple
https://www.exploit-db.com/exploits/42360

This PoC demonstrates a use-after-free vulnerability in WebKit's accessibility features, triggered by manipulating DOM elements with specific attributes. The exploit causes a heap-use-after-free error, as confirmed by the AddressSanitizer (ASan) log.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WebKit (Safari, WebKitGTK+)
No auth needed
Prerequisites: Accessibility features enabled (e.g., inspector open in Safari or default in WebKitGTK+)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99885
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207927
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207924
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207928
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207921
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207923
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038950
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42360/

Scores

CVSS v3 8.8
EPSS 0.0441
EPSS Percentile 89.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (6)
apple/icloud < 6.2.2
apple/iphone_os < 10.3.3
apple/itunes < 12.6.2
apple/safari < 10.1.2
apple/tvos < 10.2.2
apple/webkit
Published Jul 20, 2017
Tracked Since Feb 18, 2026