Cyber Resilience

CVE-2021-30858

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 August 2021

Published
24 August 2021
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0079 74.4th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30858 is a high-severity Use After Free (CWE-416) vulnerability in Apple Iphone Os. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 25.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A use-after-free vulnerability, tracked as CVE-2021-30858 and assigned CWE-416, stems from insufficient memory management when processing web content. The flaw affects WebKit in iOS versions prior to 14.8, iPadOS versions prior to 14.8, and macOS Big Sur versions prior to 11.6.

An unauthenticated remote attacker can trigger the issue by causing a victim to process maliciously crafted web content, resulting in arbitrary code execution. The CVSS 3.1 score of 8.8 reflects a network attack vector with low complexity, required user interaction, and high impact across confidentiality, integrity, and availability.

Apple released fixes in iOS 14.8, iPadOS 14.8, and macOS Big Sur 11.6. The vendor states it is aware of reports that the vulnerability has been actively exploited in the wild.

EU & UK References

Vulnerability details

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of…

more

a report that this issue may have been actively exploited.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
13.1 — 14.8
apple
iphone os
≤ 12.5.5 · 13.0 — 14.8
apple
macos
≤ 11.6
fedoraproject
fedora
33, 34
debian
debian linux
10.0, 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms that address use-after-free flaws (CWE-416) during WebKit content processing.

prevent

Mandates timely application of vendor patches that remediate the WebKit use-after-free vulnerability before exploitation.

preventdetect

Enforces malicious-code detection and blocking on web content that could otherwise trigger the memory-corruption exploit.

References