CVE-2021-30983
Published: 24 August 2021
Summary
CVE-2021-30983 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 33.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
A buffer overflow vulnerability, tracked as CVE-2021-30983 and assigned CWE-120, was present in iOS and iPadOS prior to versions 15.2. The flaw stems from insufficient memory handling and received a CVSS v3.1 score of 7.8. Successful exploitation enables an application to execute arbitrary code with kernel privileges.
The attack requires local access with no privileges but does involve user interaction, allowing a malicious application to achieve full kernel-level code execution on the device.
Apple addressed the issue through improved memory handling in the iOS 15.2 and iPadOS 15.2 releases, as detailed in HT212976. The vulnerability also appears in CISA's catalog of known exploited vulnerabilities, confirming real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17900
Vulnerability details
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 15.2 and iPadOS 15.2. An application may be able to execute arbitrary code with kernel privileges.
- CWE(s)
- KEV Date Added
- 27 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protections that mitigate buffer overflows (CWE-120) and prevent arbitrary kernel code execution from malicious apps.
Requires timely application of patches that remediate the specific memory-handling flaw fixed in iOS/iPadOS 15.2.
Verifies software/firmware integrity to detect or block exploitation attempts that rely on unauthorized code execution at kernel level.