Cyber Resilience

CVE-2021-1789

HighCISA KEVActive ExploitationEUVD Exploited

Published: 02 April 2021

Published
02 April 2021
Modified
23 October 2025
KEV Added
04 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-1789 is a high-severity Type Confusion (CWE-843) vulnerability in Apple Mac Os X. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 47.9th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

A type confusion vulnerability, tracked as CWE-843, was present in WebKit and addressed through improved state handling. The flaw affects multiple Apple platforms prior to the listed updates, including macOS versions before Big Sur 11.2, Catalina, and Mojave, iOS and iPadOS before 14.4, tvOS before 14.4, watchOS before 7.3, and Safari before 14.0.3. The CVSS 3.1 base score of 8.8 reflects network attack vector, low attack complexity, and no required privileges.

An unauthenticated remote attacker can exploit the issue by supplying maliciously crafted web content that a user processes in a vulnerable browser or application. Successful exploitation grants arbitrary code execution with full impact on confidentiality, integrity, and availability of the affected device.

Apple security updates for the affected platforms and Safari 14.0.3 resolve the vulnerability. Related packages were also addressed in distributions such as Fedora and Gentoo that incorporate WebKit components. No information on in-the-wild exploitation is provided in the references.

EU & UK References

Vulnerability details

A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3. Processing maliciously…

more

crafted web content may lead to arbitrary code execution.

CWE(s)
KEV Date Added
04 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 14.4
apple
iphone os
≤ 14.4
apple
mac os x
10.14.6, 10.15.7 · 10.14 — 10.14.6 · 10.15 — 10.15.7
apple
macos
11.0 — 11.2
apple
tvos
≤ 14.4
apple
watchos
≤ 7.3
fedoraproject
fedora
32, 33
webkitgtk
webkitgtk
≤ 2.30.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor security updates that remediate the WebKit type-confusion flaw before malicious web content can be processed.

SC-18 Mobile Code partial match
prevent

Restricts or disables execution of mobile code (JavaScript, WebAssembly, etc.) delivered via untrusted web content, limiting the attack vector that triggers the type confusion.

preventdetect

Deploys malicious-code detection mechanisms at the browser or host level that can block or alert on crafted web payloads attempting to exploit the WebKit vulnerability.

References