Search
On this page ▾
CVE-2016-4656 — Apple iOS Memory Corruption Vulnerability

CVE-2016-4656

Apple iOS Kernel — Memory Corruption Enables Full Kernel Control / Jailbreak; Stage 3 of 'Trident' Pegasus Chain; Patched iOS 9.3.5 (August 2016)
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Apple iOS?

Apple iOS is the operating system for iPhone and iPad. Complete iPhone compromise — enabling persistent access to messages, calls, emails, camera, microphone, and location — requires chaining multiple vulnerabilities across the browser (initial entry), kernel (privilege escalation), and persistence layers. Zero-day iOS exploit chains achieving this level of compromise command the highest prices in commercial vulnerability markets and are exclusively used by well-resourced threat actors.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 24, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2016-4656 is the third and final stage of the Trident iOS zero-day exploit chain used by NSO Group's Pegasus spyware. After CVE-2016-4657 (WebKit RCE) and CVE-2016-4655 (kernel KASLR bypass) execute, CVE-2016-4656 delivers the kernel memory corruption exploit that escalates from renderer-level code execution to full kernel control — achieving a complete remote jailbreak. This kernel-level access allows Pegasus to install persistent spyware invisible to the user, with access to all iOS communications, camera, microphone, and location data. Discovered by Citizen Lab and Lookout Security. Apple patched all three Trident vulnerabilities in iOS 9.3.5 on August 25, 2016. CISA added CVE-2016-4656 to the KEV catalog in May 2022.

Affected Versions

Apple iOS Status
iOS 9.3.4 and earlier Vulnerable
iOS 9.3.5 Fixed

Technical Details

The Trident Exploit Chain

CVE-2016-4656 is Stage 3 of the Trident three-stage exploit chain:

Stage CVE Type Purpose
1 CVE-2016-4657 WebKit memory corruption (RCE) Entry: code execution via malicious link
2 CVE-2016-4655 Kernel information disclosure KASLR bypass: reveal kernel memory layout
3 CVE-2016-4656 Kernel memory corruption (LPE) Full kernel control: jailbreak + Pegasus installation

Root Cause: Kernel Memory Corruption

CVE-2016-4656 is an out-of-bounds write vulnerability (CWE-787) in the iOS kernel. After CVE-2016-4655 provides the kernel memory layout (defeating KASLR), CVE-2016-4656 exploits a memory corruption flaw in the kernel — likely in kernel extension (kext) processing, mach messaging, or memory management subsystems — to achieve a controlled out-of-bounds write.

With known kernel addresses from Stage 2 and a controlled kernel write from Stage 3, Pegasus could:

  1. Overwrite kernel data structures — modify task control blocks, credential structures, or security policy flags
  2. Elevate to root — escalate from the sandboxed WebKit process to full root/kernel privileges
  3. Disable iOS security mechanisms — bypass code signing, disable sandboxing, and circumvent kernel integrity checks
  4. Achieve persistence — modify the iOS filesystem to install Pegasus as a persistent background process that survives reboots

Pegasus Spyware Capabilities

Once CVE-2016-4656 achieved kernel control, the Pegasus installation provided:

  • Complete interception of iMessage, WhatsApp, Gmail, and other messaging apps
  • Real-time microphone and camera access
  • GPS location tracking
  • Contact list and calendar exfiltration
  • Call interception

Attack Characteristics

Attribute Detail
Attack Vector Local (AV:L) — staged via WebKit + KASLR bypass
Role in Chain Stage 3 — complete kernel compromise
Effect Full kernel control; persistent spyware installation
Payload NSO Group Pegasus spyware
Requires Stages 1 (CVE-2016-4657) and 2 (CVE-2016-4655)

Discovery

Discovered by Citizen Lab and Lookout Security through analysis of a suspicious link sent to UAE human rights activist Ahmed Mansoor on August 10, 2016. Citizen Lab's investigation identified all three Trident zero-days and documented NSO Group's Pegasus spyware infrastructure. Apple was notified and released iOS 9.3.5 within 10 days.

Exploitation Context

  • NSO Group's Pegasus: CVE-2016-4656 was the LPE component of NSO Group's Pegasus v2.x, a commercial surveillance product sold to nation-state clients; the Trident chain represented the state-of-the-art in mobile exploitation and was used to target political dissidents, journalists, and human rights activists
  • Million-dollar iOS zero-day: At 2016 exploit market valuations, three iOS zero-days chained for remote jailbreak were worth approximately $1 million USD; NSO Group's clients paid for this capability as a service
  • Activist and journalist targeting: Citizen Lab documented Pegasus use against Ahmed Mansoor (UAE), Rafael Cabrera (Mexico), and researchers in Kazakhstan, Turkey, and across the Middle East — consistent with government targeting of civil society
  • Watershed event: The Trident/Pegasus disclosure drove significant investment in iOS security, including the creation of Apple's Lockdown Mode and accelerated iOS security research globally
  • CISA KEV (2022): Added May 2022 alongside CVE-2016-4655 and CVE-2016-4657

Remediation

CISA BOD 22-01 Deadline: June 14, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Update to iOS 9.3.5 or later — all iOS versions from 9.3.5 onward patch the Trident vulnerabilities. Any current iOS release is patched. Update via Settings → General → Software Update.

  2. Enable automatic iOS updates — configure iOS to automatically install security updates; mobile zero-day exploitation windows are short once patches are released, and automatic updates minimize exposure.

  3. Use Apple Lockdown Mode for high-risk users — Lockdown Mode (iOS 16+) significantly reduces iOS attack surface by disabling many WebKit features, JIT compilation, and message link previews that form the entry point for mobile exploit chains; recommended for journalists, activists, and others at high risk of state-sponsored targeting.

  4. Check for Pegasus indicators — Amnesty International's Mobile Verification Toolkit (MVT) and iMazing can detect Pegasus indicators in iOS backups; individuals concerned about targeting should use these tools.

Key Details

PropertyValue
CVE ID CVE-2016-4656
Vendor / Product Apple — iOS
NVD Published2016-08-25
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-787 — Out-of-Bounds Write find similar ↗
CISA KEV Added2022-05-24
CISA KEV Deadline2022-06-14
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-14. Apply updates per vendor instructions.

Timeline

DateEvent
2016-08-10Ahmed Mansoor (UAE human rights activist) receives suspicious SMS; Citizen Lab investigation begins
2016-08-15Citizen Lab and Lookout identify three iOS zero-days (Trident) and Pegasus spyware
2016-08-25Apple releases iOS 9.3.5 patching CVE-2016-4655, CVE-2016-4656, CVE-2016-4657; CVEs published
2022-05-24Added to CISA Known Exploited Vulnerabilities catalog
2022-06-14CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2016-4656 Vulnerability Database
CISA KEV Catalog Entry US Government
Apple Security Update — iOS 9.3.5 (HT207107) Vendor Advisory
Citizen Lab — Trident: Three Zero-Days Used to Hack Activist Ahmed Mansoor Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML