CVE-2021-30661

CVSS 8.8 HIGHEPSS 4.3%● KEVCWE-416

Vexday Risk Score

51Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.8EPSS 4.3%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Sep 2021Published on NVD

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A memory management flaw in Safari and Apple systems allows attackers to execute arbitrary code by crafting malicious web content. This vulnerability was actively exploited in the wild.

Technical detail

Use-after-free vulnerability (CWE-416) in WebKit memory management. Attack vector is network-based through maliciously crafted web content; no user interaction beyond visiting a malicious site is required. Successful exploitation leads to arbitrary code execution in the context of the vulnerable application.

Summary generated and translated by AI from the official description.

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Apple · iOS and iPadOS Apple · macOS Apple · Safari Apple · tvOS Apple · watchOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.apple.com/en-us/HT212317 https://support.apple.com/en-us/HT212318 https://support.apple.com/en-us/HT212323 https://support.apple.com/en-us/HT212324 https://support.apple.com/en-us/HT212325 https://support.apple.com/en-us/HT212341 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30661