Cyber Resilience

CVE-2021-30661

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.7th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30661 is a high-severity Use After Free (CWE-416) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 16.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability, tracked as CVE-2021-30661 and assigned CWE-416, affects WebKit components in multiple Apple products. It is present in versions of Safari prior to 14.1, iOS prior to 12.5.3 and 14.5, iPadOS prior to 14.5, watchOS prior to 7.4, tvOS prior to 14.5, and macOS Big Sur prior to 11.3. The flaw stems from improper memory management when handling web content and carries a CVSS 3.1 base score of 8.8.

An attacker can exploit the issue by serving maliciously crafted web content to a victim. Successful exploitation grants arbitrary code execution in the context of the affected process, requiring only that the user interact with the content (network vector, no privileges needed, user interaction required).

Apple security advisories HT212317, HT212318, HT212323, HT212324, and HT212325 state that the vulnerability is resolved by improved memory management in the versions listed above and recommend that users install the corresponding updates.

Apple has stated that it is aware of reports indicating the issue may have been actively exploited in the wild.

EU & UK References

Vulnerability details

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted web content may lead…

more

to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 14.1
apple
ipados
≤ 14.5
apple
iphone os
≤ 12.5.3 · 14.0 — 14.5
apple
macos
11.0 — 11.3
apple
tvos
≤ 14.5
apple
watchos
≤ 7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that remediate the use-after-free flaw in WebKit before exploitation occurs.

prevent

Mandates memory-protection mechanisms that address the root cause of use-after-free conditions leading to arbitrary code execution.

prevent

Requires malicious-code protections on endpoints that can block or sandbox the malicious web content used to trigger the WebKit vulnerability.

References