What Is Apple iOS WebKit?
WebKit is Apple's open-source browser engine powering Safari on iOS, macOS, and iPadOS. On iOS, WebKit is the only permitted browser rendering engine — all browsers on iOS (Chrome, Firefox, Edge) use WebKit under the hood. WebKit's role as the universal browser engine for iOS makes WebKit vulnerabilities applicable to every iOS web browser simultaneously. When WebKit is exploited, an attacker achieves code execution in the browser's renderer process — the first step toward a full device compromise through subsequent kernel exploitation.
Overview
CVE-2016-4657 is a WebKit memory corruption vulnerability that serves as the Stage 1 entry point of the Trident iOS zero-day exploit chain used by NSO Group's Pegasus spyware. When an iOS device visits a malicious URL in Safari (delivered via SMS, iMessage, or email), CVE-2016-4657 exploits a WebKit memory corruption flaw to achieve initial code execution in the WebKit renderer process. This execution is then used to chain to CVE-2016-4655 (kernel KASLR bypass) and CVE-2016-4656 (kernel LPE), resulting in a complete device jailbreak and Pegasus installation — all from a single URL tap. Discovered by Citizen Lab and Lookout Security. Patched in iOS 9.3.5 (August 25, 2016). CISA added CVE-2016-4657 to the KEV catalog in May 2022.
Affected Versions
| Product | Version | Status |
|---|---|---|
| Apple iOS | 9.3.4 and earlier | Vulnerable |
| Apple iOS | 9.3.5 | Fixed |
| All browsers on iOS | (using WebKit on iOS ≤ 9.3.4) | Vulnerable |
Note: The WebKit vulnerability also affects macOS Safari and other platforms using the same WebKit version; iOS was the primary attack target for the Trident chain.
Technical Details
The Trident Exploit Chain
CVE-2016-4657 is Stage 1 of the Trident three-stage exploit chain:
| Stage | CVE | Type | Purpose |
|---|---|---|---|
| 1 | CVE-2016-4657 | WebKit memory corruption (RCE) | Entry: one-click RCE via malicious URL |
| 2 | CVE-2016-4655 | Kernel information disclosure | KASLR bypass: reveal kernel memory layout |
| 3 | CVE-2016-4656 | Kernel memory corruption (LPE) | Full kernel control: jailbreak + Pegasus installation |
Root Cause: WebKit Memory Corruption
CVE-2016-4657 is a memory corruption vulnerability (CWE-787) in WebKit's JavaScript engine (JavaScriptCore) or HTML/CSS processing pipeline. When iOS Safari loads a specially crafted web page, the WebKit renderer processes malformed content that triggers an out-of-bounds write — corrupting heap memory in a way that allows control flow hijacking.
Exploitation flow:
- Attacker sends malicious SMS/iMessage link to the target's iPhone
- Victim taps the link — Safari opens the URL
- WebKit processes the malicious page — the crafted content triggers the memory corruption
- Code executes in the WebKit renderer process — attacker's code runs in the Safari sandbox
- Stage 2 and 3 execute — from within the renderer, CVE-2016-4655 and CVE-2016-4656 escalate to full kernel control
One-Tap Remote Jailbreak
The combination of CVE-2016-4657 (remote, single user interaction) with CVE-2016-4655 and CVE-2016-4656 (kernel escalation) produced a one-tap remote jailbreak — a complete iPhone compromise from a single tap on a malicious link, with no further interaction required. The victim saw a brief Safari loading screen followed by a crash/restart, with Pegasus silently installed in the background.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — malicious URL in SMS, iMessage, email |
| User Interaction | Required — single tap on malicious link |
| Role in Chain | Stage 1 — initial code execution entry point |
| Browsers Affected | All iOS browsers (all use WebKit on iOS) |
| Delivery | SMS, iMessage, email — any link-carrying channel |
Discovery
Discovered by Citizen Lab and Lookout Security through analysis of suspicious links sent to UAE activist Ahmed Mansoor on August 10, 2016. Citizen Lab's research identified the complete Trident chain and NSO Group's infrastructure. This was the first public documentation of a commercial iOS zero-day exploit chain used against civil society.
Exploitation Context
- Pegasus delivery mechanism: CVE-2016-4657 is the entry point through which NSO Group's Pegasus spyware was delivered — a single malicious URL could completely compromise an iPhone through an SMS or iMessage link without requiring any complex social engineering beyond the target tapping a link
- WebKit as universal iOS attack surface: Because all iOS browsers are required to use WebKit, WebKit vulnerabilities simultaneously affect Safari, Chrome for iOS, Firefox for iOS, and every other iOS browser — a single WebKit exploit provides universal iOS browser exploitation
- Nation-state targeting of civil society: Citizen Lab documented Pegasus use against journalists, lawyers, and human rights activists across the Middle East, Mexico, and elsewhere; CVE-2016-4657 was the trigger for these compromises
- iMessage zero-click evolution: Subsequent NSO Group/Pegasus exploit chains used iMessage zero-click vectors (CVE-2021-30860 "ForcedEntry") that removed even the single tap requirement; CVE-2016-4657 represents an earlier generation requiring one tap
- CISA KEV (2022): Added May 2022 alongside CVE-2016-4655 and CVE-2016-4656
Remediation
-
Update to iOS 9.3.5 or later — any current iOS release patches the Trident vulnerabilities. Update via Settings → General → Software Update.
-
Enable automatic iOS updates — configure iOS to automatically install security updates; mobile exploit chains are frequently patched with emergency updates and automatic updates minimize exposure windows.
-
Use Apple Lockdown Mode for high-risk individuals — Lockdown Mode (iOS 16+) disables many WebKit features that are required for advanced JavaScript exploitation, significantly raising the bar for WebKit-based exploit chains; recommended for journalists, activists, and others at elevated risk of commercial spyware targeting.
-
Be suspicious of unexpected links — Pegasus and similar spyware are delivered via unsolicited SMS, iMessage, or email links; high-risk individuals should avoid tapping links from unknown senders and use Lockdown Mode's automatic link handling.
-
Verify device integrity — use Amnesty International's Mobile Verification Toolkit (MVT) to check iOS backups for Pegasus indicators of compromise.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2016-4657 |
| Vendor / Product | Apple — iOS |
| NVD Published | 2016-08-25 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-787 — Out-of-Bounds Write find similar ↗ |
| CISA KEV Added | 2022-05-24 |
| CISA KEV Deadline | 2022-06-14 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2016-08-10 | Ahmed Mansoor receives suspicious SMS with link; Citizen Lab investigation begins identifying the Trident chain |
| 2016-08-15 | Citizen Lab and Lookout Security identify three iOS zero-days and Pegasus spyware; Apple notified |
| 2016-08-25 | Apple releases iOS 9.3.5 patching CVE-2016-4655, CVE-2016-4656, CVE-2016-4657 |
| 2022-05-24 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-06-14 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2016-4657 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Apple Security Update — iOS 9.3.5 (HT207107) | Vendor Advisory |
| Citizen Lab — Trident: Three Zero-Days Used to Hack Activist Ahmed Mansoor | Security Research |