Cyber Resilience

CVE-2021-30665

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.6th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30665 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 40.6th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A memory corruption vulnerability, identified as CWE-787, affects multiple Apple platforms and stems from improper state management during the processing of web content. Impacted software includes watchOS prior to 7.4.1, iOS and iPadOS prior to 14.5.1, tvOS prior to 14.6, iOS 12.x prior to 12.5.3, and macOS Big Sur prior to 11.3.1. The flaw carries a CVSS score of 8.8 and enables out-of-bounds write operations when handling untrusted input.

An unauthenticated remote attacker can exploit the issue by supplying maliciously crafted web content that a user is tricked into processing, such as through a web browser or other web-rendering component. Successful exploitation grants arbitrary code execution with full read, write, and execution impact on the affected device.

Apple security advisories for the listed updates state that the vulnerability is resolved by applying the respective patches, which improve state management to prevent the memory corruption. The references detail the fixed versions for each platform and urge immediate installation to address the exposure.

Apple has noted reports indicating that this vulnerability may have been actively exploited in the wild prior to patching.

EU & UK References

Vulnerability details

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code…

more

execution. Apple is aware of a report that this issue may have been actively exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 14.5.1
apple
iphone os
≤ 12.5.3 · 13.0 — 14.5.1
apple
macos
≤ 11.3.1
apple
tvos
≤ 14.6
apple
watchos
≤ 7.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the out-of-bounds write (CWE-787) memory corruption by enforcing memory protection mechanisms during web-content processing.

prevent

Requires timely application of the vendor patches that improve state management and close the actively exploited flaw in the listed Apple platforms.

preventdetect

Provides malicious-code detection and blocking for untrusted web content that triggers the remote code-execution path.

References