Cyber Resilience

CVE-2021-30666

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0118 79.1th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30666 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 20.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A buffer overflow vulnerability, tracked as CVE-2021-30666 and assigned CWE-119, affects iOS versions prior to 12.5.3. The flaw stems from improper memory handling when processing web content and carries a CVSS 3.1 score of 8.8, reflecting network attack vectors with low complexity and no required privileges.

An unauthenticated remote attacker can exploit the issue by supplying maliciously crafted web content that a victim processes, typically through a browser or WebKit-based application. Successful exploitation results in arbitrary code execution, granting the attacker full control over confidentiality, integrity, and availability on the device.

Apple addressed the vulnerability with improved memory handling in the iOS 12.5.3 release, as detailed in its security advisory HT212341. The CISA Known Exploited Vulnerabilities catalog lists the CVE, confirming active exploitation in the wild and underscoring the need for immediate patching on supported devices.

EU & UK References

Vulnerability details

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 12.5.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been…

more

actively exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 12.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms that would have prevented exploitation of the buffer overflow in WebKit content processing.

prevent

Mandates timely flaw remediation, directly addressing the need to apply the iOS 12.5.3 memory-handling fix for this actively exploited CVE.

prevent

Requires validation of input data, which can mitigate buffer overflows when processing untrusted web content even if the root memory flaw remains.

References