CVE-2016-4655

What Is Apple iOS?

Apple iOS is the operating system powering iPhone and iPad devices. As one of the two dominant mobile platforms (alongside Android), iOS security vulnerabilities — particularly those exploitable via zero-click or one-click vectors — are among the most impactful in the security landscape. Successful iOS exploitation provides access to communications, location data, microphone, camera, contacts, and all data on the device. iOS zero-days capable of achieving full device compromise without user interaction or with only a single tap are among the most expensive vulnerabilities in commercial exploit markets.

Overview

CVE-2016-4655 is the first of three iOS zero-day vulnerabilities forming the "Trident" exploit chain, used by NSO Group's Pegasus spyware to achieve complete iPhone compromise. CVE-2016-4655 is a kernel information disclosure vulnerability that allows a malicious app or web page to read kernel memory, defeating Kernel Address Space Layout Randomization (KASLR). Combined with CVE-2016-4657 (WebKit RCE, initial entry) and CVE-2016-4656 (kernel memory corruption, privilege escalation), the Trident chain achieved a full one-click remote jailbreak targeting human rights activists. Discovered by Citizen Lab and Lookout Security. Apple patched all three Trident vulnerabilities in iOS 9.3.5 on August 25, 2016. CISA added CVE-2016-4655 to the KEV catalog in May 2022.

Affected Versions

The Trident vulnerabilities were also addressed in subsequent iOS releases. All current iOS versions include the fix.

Technical Details

The Trident Exploit Chain

CVE-2016-4655 is Stage 2 of the Trident three-stage exploit chain:

Root Cause: Kernel Memory Disclosure

CVE-2016-4655 is a kernel information disclosure vulnerability (CWE-200) in the iOS kernel. When code executing in the WebKit renderer process (after CVE-2016-4657 exploitation) makes certain system calls or accesses specific kernel data structures, the kernel returns memory contents that include kernel virtual addresses — specifically addresses that reveal where the kernel and its modules are loaded in memory.

Why KASLR matters: Kernel Address Space Layout Randomization randomizes the base addresses of the kernel and its extensions at boot time, preventing an attacker from knowing in advance where to target kernel exploitation. CVE-2016-4655 defeats KASLR by disclosing these actual runtime addresses to the attacker's code, enabling Stage 3 (CVE-2016-4656) to target the correct kernel addresses for memory corruption exploitation.

Attack Characteristics

Discovery

Discovered by Citizen Lab (University of Toronto) and Lookout Security after UAE human rights activist Ahmed Mansoor received a suspicious SMS on August 10, 2016 containing a link. Rather than clicking the link himself, Mansoor forwarded it to Citizen Lab for analysis. Lookout and Citizen Lab jointly identified the three zero-days and NSO Group's Pegasus spyware. Apple was notified and released iOS 9.3.5 on August 25, 2016 — only 10 days after receiving the report.

Exploitation Context

• Pegasus spyware: The Trident chain was the delivery mechanism for NSO Group's Pegasus mobile surveillance software, commercially sold to nation-state clients for targeting dissidents, journalists, and political opponents; the "million-dollar dissident" nickname for Mansoor reflects the estimated $1M value of three iOS zero-days at the time
• Nation-state targeting: Citizen Lab attributed CVE-2016-4655 exploitation to UAE government actors targeting Ahmed Mansoor; Pegasus spyware has since been documented targeting activists and journalists in dozens of countries
• Commercial exploit market: The Trident chain represented approximately $1 million in zero-day value at 2016 exploit broker market rates; the NSO Group's business model of selling weaponized iOS exploits to governments placed these capabilities in the hands of actors who would not have developed them independently
• Trident as a watershed: The Trident disclosure was the first public documentation of commercial mobile spyware using iOS zero-days; it triggered significant scrutiny of the commercial surveillance industry and shaped subsequent efforts (Citizen Lab, Access Now, Amnesty Tech) to detect mobile spyware
• CISA KEV (2022): Added May 2022 alongside CVE-2016-4656 and CVE-2016-4657

Remediation

1. Update to iOS 9.3.5 or later — all iOS versions 9.3.5 and above patch the Trident vulnerabilities. Any current iOS release is patched. Update via Settings → General → Software Update.

2. Maintain current iOS updates — Apple regularly patches iOS vulnerabilities, including zero-days; enable automatic iOS updates to minimize exposure windows.

3. For high-risk individuals: Use Apple's Lockdown Mode (iOS 16+) which significantly reduces the iOS attack surface including WebKit-based exploitation vectors; Lockdown Mode is specifically designed for individuals targeted by sophisticated commercial spyware like Pegasus.

4. Verify device integrity — individuals concerned about Pegasus infection can use Amnesty International's Mobile Verification Toolkit (MVT) or iMazing to analyze device backups for indicators of compromise.