Cyber Resilience

CVE-2021-30900

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 August 2021

Published
24 August 2021
Modified
23 October 2025
KEV Added
30 March 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.6th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30900 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 34.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An out-of-bounds write vulnerability, tracked as CVE-2021-30900 and assigned CWE-787, affects iOS and iPadOS. The flaw stems from insufficient bounds checking and received a CVSS v3.1 score of 7.8. It is resolved in iOS 14.8.1, iPadOS 14.8.1, iOS 15.1, and iPadOS 15.1.

A malicious application running on an affected device can trigger the issue to perform an out-of-bounds write. Successful exploitation grants the attacker the ability to execute arbitrary code with kernel privileges. The attack requires local access, no prior privileges, and some user interaction.

Apple security advisories direct users to install the listed updates, which incorporate improved bounds checking to eliminate the flaw. The referenced support documents detail the affected builds and corresponding patched releases for both iOS and iPadOS.

EU & UK References

Vulnerability details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 14.8.1 and iPadOS 14.8.1, iOS 15.1 and iPadOS 15.1. A malicious application may be able to execute arbitrary code with kernel privileges.

CWE(s)
KEV Date Added
30 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
15.0 · ≤ 14.8.1
apple
iphone os
15.0 · ≤ 14.8.1
apple
macos
≤ 11.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that add the improved bounds checking to eliminate the out-of-bounds write.

prevent

Mandates input validation and bounds checking that would have prevented the CWE-787 flaw allowing kernel-level code execution.

prevent

Requires memory-protection mechanisms that can block or contain exploitation of out-of-bounds writes to gain kernel privileges.

References