⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-30807Out-of-bounds Write in Apple Macos

CWE-787Out-of-bounds Write14 documents7 sources
Severity
7.8HIGHNVD
EPSS
24.5%
top 3.87%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Apple MacosApple IpadosApple Iphone OS+3 more
Timeline
PublishedOct 19
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages8 packages

CVEListV5apple/macosunspecified11.5+2
NVDapple/macos< 11.5.1
NVDapple/ipados< 14.7.1
NVDapple/watchos< 7.6.1
Appleapple/watchos7.6.1

🔴Vulnerability Details

3
GHSA
GHSA-676h-wcx2-4w5q: A memory corruption issue was addressed with improved memory handling2022-05-24
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
VulnCheck
Apple Multiple Products Memory Corruption Vulnerability2021

📋Vendor Advisories

4
CISA
Apple Multiple Products Memory Corruption Vulnerability2021-11-03
Apple
CVE-2021-30807: watchOS 7.6.12021-07-29
Apple
CVE-2021-30807: macOS Big Sur 11.5.12021-07-26
Apple
CVE-2021-30807: iOS 14.7.1 and iPadOS 14.7.12021-07-26

🕵️Threat Intelligence

6
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-012021-11-09
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys2021-11-09
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices2021-10-18
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys2021-10-18
Qualys
iOS and iPadOS 14.7 and 14.7.1 Security Update: Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices | Qualys2021-07-28