WebKit memory corruption RCE in Apple iOS
CVE-2016-4657 is a memory corruption vulnerability in WebKit on Apple iOS prior to 9.3.5. A remote attacker can trigger the flaw by luring a target to a crafted web site or malicious link, causing Safari/WebKit to process attacker-controlled content. The provided context states this bug was used as the initial browser-side vector in the 2016 "Trident" iOS exploit chain, where it enabled execution of shellcode in the Safari browser and was then chained with kernel vulnerabilities CVE-2016-4655 and CVE-2016-4656 to achieve a remote jailbreak and install Pegasus spyware.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a proof-of-concept (PoC) exploit for CVE-2016-4657, a memory corruption vulnerability in the WebKit JavaScript engine affecting iOS 9.3 and the Nintendo Switch captive portal browser. The main exploit is implemented in 'attack.html', which uses advanced JavaScript techniques to manipulate memory and trigger the vulnerability. The exploit is designed to be run in a browser environment, specifically targeting the Nintendo Switch's captive portal (which uses a WebKit-based browser) or vulnerable versions of iOS Safari. The 'index.html' file serves as a landing page that detects the Nintendo Switch user agent and redirects to the exploit. The 'README.md' provides a brief overview and references a technical article for further reading. The 'tuto.md' is a detailed technical write-up on JavaScript engine exploitation, not directly part of the exploit but useful for understanding the context. The exploit demonstrates the vulnerability by corrupting array lengths and alerting the user, and may cause the browser to crash, showing exploitability. No weaponized payload is included; this is a research PoC.
This repository is a proof-of-concept (PoC) exploit for CVE-2016-4657, a WebKit vulnerability, targeting the Nintendo Switch's browser. The structure includes a minimal custom browser written in C++ (main.cpp) for Debian Linux, which simulates the Nintendo Switch user agent and loads an online exploit page. The main exploit logic is implemented in JavaScript (exploit/jailbreak.js) and is loaded via an HTML page (exploit/index.html). The exploit attempts to trigger a memory corruption bug in WebKit, resulting in a browser crash on the Nintendo Switch. The repository is intended for academic purposes and does not provide a persistent jailbreak or code execution, but demonstrates the feasibility of exploiting the vulnerability. The codebase includes supporting files for logging (exploit/logger.js) and styling (exploit/style.css). The only network endpoint directly targeted is the hosted exploit page (https://idan5x.github.io/Switcheroo/), which is loaded by the custom browser.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A memory corruption vulnerability in WebKit (Safari browser engine) that allows execution of arbitrary code when a user visits a maliciously crafted website. Used as the first stage in the Trident exploit chain for remote iPhone jailbreaks.
A vulnerability in operating systems or applications cited as an example of flaws exploited to enable Pegasus remote installation.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.