Cyber Resilience

CVE-2021-31010

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 24 August 2021

Published
24 August 2021
Modified
23 October 2025
KEV Added
25 August 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0072 73.0th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-31010 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apple Mac Os X. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 27.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A deserialization issue tracked as CVE-2021-31010 and assigned CWE-502 was present in multiple Apple operating systems. The flaw stems from insufficient validation during deserialization and could allow improper handling of serialized data. It affected iOS, iPadOS, macOS Catalina, macOS Big Sur, and watchOS prior to the releases that addressed it.

An attacker could exploit the vulnerability over a network without authentication or user interaction to enable a sandboxed process to bypass sandbox restrictions, resulting in unauthorized modification of data as reflected in the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

The issue is resolved in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2, as detailed in the corresponding Apple security advisories.

Apple stated that it was aware of reporting indicating the vulnerability may have been actively exploited in the wild at the time the fixes were released.

EU & UK References

Vulnerability details

A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions.…

more

Apple was aware of a report that this issue may have been actively exploited at the time of release..

CWE(s)
KEV Date Added
25 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 14.8
apple
iphone os
12.0 — 12.5.5 · 14.0 — 14.8
apple
mac os x
10.15.7 · 10.15 — 10.15.7
apple
macos
11.0 — 11.6
apple
watchos
≤ 7.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient input validation during deserialization that enabled the sandbox bypass in CVE-2021-31010.

prevent

Enforces the sandbox access restrictions that the deserialization flaw was exploited to circumvent.

prevent

Provides the process isolation mechanism whose boundaries were violated by the unauthenticated deserialization attack.

References