Cyber Resilience

CVE-2021-30762

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 September 2021

Published
08 September 2021
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.7th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30762 is a high-severity Use After Free (CWE-416) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 14.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability, tracked as CVE-2021-30762 and assigned CWE-416, affects iOS prior to version 12.5.4. The flaw resides in the handling of web content and was resolved through improved memory management. Successful exploitation can result in arbitrary code execution, as reflected in its CVSS 3.1 score of 8.8.

An unauthenticated remote attacker can trigger the issue by supplying maliciously crafted web content that a user visits or renders, requiring no privileges and only user interaction to achieve full compromise of the affected device.

Apple's advisory HT212548 states that the vulnerability is fixed in iOS 12.5.4, and CISA includes the CVE in its catalog of known exploited vulnerabilities, confirming the availability of the patch as the primary mitigation.

Apple has reported that the issue may have been actively exploited in the wild.

EU & UK References

Vulnerability details

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.5.4. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have…

more

been actively exploited..

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 12.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the iOS 12.5.4 patch that resolves the use-after-free flaw before exploitation occurs.

prevent

Mandates memory-protection mechanisms that would have blocked the use-after-free condition during malicious web-content processing.

preventdetect

Requires malicious-code detection and blocking capabilities that can intercept crafted web content used to trigger the vulnerability.

References