⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-30666Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple IOS

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-20Improper Input ValidationCWE-120Classic Buffer Overflow8 documents8 sources
Severity
8.8HIGHNVD
EPSS
1.5%
top 19.04%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apple IOSApple Iphone OS
Timeline
PublishedSep 8
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 12.5.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5apple/iosunspecified12.5
NVDapple/iphone_os< 12.5.3

🔴Vulnerability Details

4
GHSA
GHSA-4cx8-frpf-fjc3: A buffer overflow issue was addressed with improved memory handling2022-05-24
CVEList
CVE-2021-30666: A buffer overflow issue was addressed with improved memory handling2021-09-08
OSV
CVE-2021-30666: A buffer overflow issue was addressed with improved memory handling2021-09-08
VulnCheck
Apple iOS WebKit Buffer Overflow Vulnerability2021

📋Vendor Advisories

3
CISA
Apple iOS WebKit Buffer Overflow Vulnerability2021-11-03
Red Hat
webkitgtk: Buffer overflow leading to arbitrary code execution2021-07-28
Debian
CVE-2021-30666: webkit2gtk - A buffer overflow issue was addressed with improved memory handling. This issue ...2021
CVE-2021-30666 — Apple IOS vulnerability | cvebase