⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-30661Use After Free in Apple IOS AND Ipados

CWE-416Use After FreeCWE-20Improper Input Validation19 documents12 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 69.92%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Apple IOS AND IpadosApple MacosApple Safari+4 more
Timeline
PublishedSep 8
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages11 packages

CVEListV5apple/tvosunspecified14.5
NVDapple/tvos< 14.5
CVEListV5apple/macosunspecified11.3+1
NVDapple/macos11.011.3
CVEListV5apple/safariunspecified14.1

🔴Vulnerability Details

5
GHSA
GHSA-79qq-9x66-f5r5: A use after free issue was addressed with improved memory management2022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
CVEList
CVE-2021-30661: A use after free issue was addressed with improved memory management2021-09-08
OSV
CVE-2021-30661: A use after free issue was addressed with improved memory management2021-09-08
VulnCheck
Apple Multiple Products WebKit Storage Use-After-Free Vulnerability2021

📋Vendor Advisories

5
CISA
Apple Multiple Products WebKit Storage Use-After-Free Vulnerability2021-11-03
Red Hat
webkitgtk: Use-after-free leading to arbitrary code execution2021-07-28
Apple
CVE-2021-30661: iOS 14.5 and iPadOS 14.52021-04-26
Apple
CVE-2021-30661: macOS Big Sur 11.32021-04-26
Debian
CVE-2021-30661: webkit2gtk - A use after free issue was addressed with improved memory management. This issue...2021

🕵️Threat Intelligence

8
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices2021-10-18
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys2021-10-18
Securelist
IT threat evolution in Q2 2021. PC statistics2021-08-12
CVE-2021-30661 — Use After Free in Apple IOS AND Ipados | cvebase