CVE-2021-30952
Published: 24 August 2021
Summary
CVE-2021-30952 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 25.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An integer overflow vulnerability, identified as CVE-2021-30952 and associated with CWE-190, was addressed via improved input validation in components handling web content. It affects multiple Apple platforms and is resolved in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, and watchOS 8.3. The issue carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, no privileges required, and required user interaction.
An attacker can exploit the flaw by supplying maliciously crafted web content that triggers the integer overflow during processing. Successful exploitation may result in arbitrary code execution with high impact to confidentiality, integrity, and availability on the affected system.
Apple security advisories HT212975 and HT212976, along with related distribution lists, indicate that applying the listed software updates mitigates the vulnerability by incorporating the input validation fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17869
Vulnerability details
An integer overflow was addressed with improved input validation. This issue is fixed in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, watchOS 8.3. Processing maliciously crafted web content may lead to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 05 March 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to reject malformed or oversized values that trigger the integer overflow in web-content processing.
Mandates timely application of the vendor patches (tvOS 15.2, Safari 15.2, etc.) that implement the input-validation fix for CVE-2021-30952.
Requires mechanisms to detect and block maliciously crafted web content before it reaches the vulnerable integer-handling code paths.