{"alias":[],"description":"The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.","epss":{"percentile":"0.79141","score":"0.012140"},"id":"CVE-2016-1833","metrics":{"cvss2":{"ac_insuf_info":0,"access_complexity":"MEDIUM","access_vector":"NETWORK","authentication":"NONE","availability_impact":"PARTIAL","base_score":4.3,"base_severity":"MEDIUM","confidentiality_impact":"NONE","exploitability_score":8.6,"impact_score":2.9,"integrity_impact":"NONE","obtain_all_privilege":0,"obtain_other_privilege":0,"obtain_user_privilege":0,"user_interaction_required":1,"vector_string":"AV:N\/AC:M\/Au:N\/C:N\/I:N\/A:P","version":"2.0"},"cvss3":{"attack_complexity":"LOW","attack_vector":"LOCAL","availability_impact":"HIGH","base_score":5.5,"base_severity":"MEDIUM","confidentiality_impact":"NONE","exploitability_score":1.8,"impact_score":3.6,"integrity_impact":"NONE","privileges_required":"NONE","scope":"UNCHANGED","user_interaction":"REQUIRED","vector_string":"CVSS:3.0\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:N\/A:H","version":"3.0"}},"modified":"2026-05-06T22:30:45","nvd_status":"Modified","published":"2016-05-20T10:59:47","score":5.5,"severity":"MEDIUM","source":"product-security@apple.com","status":"PUBLISHED","weaknesses":[{"id":"CWE-125","name":"Out-of-bounds Read","type":"weakness"}]}