cbcvebase.
CVE-2021-30807
published 2021-10-19

CVE-2021-30807: A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
28.84%
97.9th percentile
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Affected

10 ranges
VendorProductVersion rangeFixed in
appleios_14.7.1_and_ipados
appleipados< 14.7.114.7.1
appleiphone_os< 14.7.114.7.1
applemacos< 11.5.111.5.1
applemacos>= unspecified < 11.511.5
applemacos>= unspecified < 14.714.7
applemacos>= unspecified < 7.67.6
applemacos_big_sur
applewatchos< 7.6.17.6.1
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable component is IOMobileFrameBuffer — monitor for unexpected applications interacting with or exploiting the IOMobileFrameBuffer kernel extension on Apple platforms (iOS, iPadOS, macOS, watchOS)
  • Flag any application on Apple devices (iOS 14.7 and below, macOS Big Sur 11.5 and below, watchOS 7.6 and below) that achieves kernel-level code execution via a memory corruption path in IOMobileFrameBuffer — indicative of active in-the-wild exploitation
  • CISA flagged this as a Known Exploited Vulnerability; prioritize detection on unpatched Apple devices running iOS/iPadOS < 14.7.1, macOS Big Sur < 11.5.1, and watchOS < 7.6.1
  • ·Exploitation is memory-corruption based within the IOMobileFrameBuffer kernel component; no public PoC hashes, network IOCs, or specific malicious filenames were disclosed in available sources — detection must rely on behavioral/kernel telemetry rather than static signatures
  • ·Apple confirmed active in-the-wild exploitation but has not publicly attributed the exploit to a specific threat actor or malware family in these advisories

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.