⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-30665Out-of-bounds Write in Apple Macos

CWE-787Out-of-bounds WriteCWE-20Improper Input ValidationCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer18 documents12 sources
Severity
8.8HIGHNVD
EPSS
0.6%
top 31.77%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Apple MacosApple IpadosApple Iphone OS+4 more
Timeline
PublishedSep 8
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

NVDapple/tvos< 14.6
CVEListV5apple/macosunspecified11.3+4
NVDapple/macos< 11.3.1
NVDapple/ipados< 14.5.1
NVDapple/watchos< 7.4.1

🔴Vulnerability Details

4
GHSA
GHSA-fgq5-6x94-h566: A memory corruption issue was addressed with improved state management2022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
OSV
CVE-2021-30665: A memory corruption issue was addressed with improved state management2021-09-08
VulnCheck
Apple Multiple Products WebKit Memory Corruption Vulnerability2021

📋Vendor Advisories

5
CISA
Apple Multiple Products WebKit Memory Corruption Vulnerability2021-11-03
Ubuntu
WebKitGTK vulnerabilities2021-07-28
Red Hat
webkitgtk: Memory corruption leading to arbitrary code execution2021-07-28
Apple
CVE-2021-30665: tvOS 14.62021-05-24
Debian
CVE-2021-30665: webkit2gtk - A memory corruption issue was addressed with improved state management. This iss...2021

🕵️Threat Intelligence

8
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices2021-10-18
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys2021-10-18
Securelist
IT threat evolution in Q2 2021. PC statistics2021-08-12