Cyber Resilience

CVE-2021-30663

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0096 76.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30663 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 23.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An integer overflow vulnerability, tracked as CVE-2021-30663 and assigned CWE-190, was present in the web content processing components of multiple Apple platforms. It affected iOS prior to 14.5.1 and 12.5.3, iPadOS prior to 14.5.1, tvOS prior to 14.6, Safari prior to 14.1.1, and macOS Big Sur prior to 11.3.1. The flaw was resolved through improved input validation in those releases.

A remote attacker can trigger the issue by supplying maliciously crafted web content that a user is induced to process, such as via a web browser or other WebKit-based application. Successful exploitation yields arbitrary code execution with high impact on confidentiality, integrity, and availability, consistent with the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Apple security advisories for the listed updates direct administrators and users to install the patched versions of iOS, iPadOS, tvOS, Safari, and macOS Big Sur to address the integer overflow. No further details on exploitation in the wild are provided in the references.

EU & UK References

Vulnerability details

An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
safari
≤ 14.1.1
apple
ipados
14.0 — 14.5.1
apple
iphone os
≤ 12.5.3 · 14.0 — 14.5.1
apple
macos
11.0 — 11.3.1
apple
tvos
≤ 14.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the improved input validation that Apple used to eliminate the integer overflow when processing untrusted web content.

prevent

Mandates prompt application of the vendor patches (iOS 14.5.1/12.5.3, Safari 14.1.1, etc.) that remove the exploitable flaw.

prevent

Provides memory-protection mechanisms that can block or contain arbitrary code execution resulting from a successful integer-overflow exploit.

References