CVE-2021-30807
published 2021-10-19CVE-2021-30807: A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
28.84%
97.9th percentile
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_14.7.1_and_ipados | — | — |
| apple | ipados | < 14.7.1 | 14.7.1 |
| apple | iphone_os | < 14.7.1 | 14.7.1 |
| apple | macos | < 11.5.1 | 11.5.1 |
| apple | macos | >= unspecified < 11.5 | 11.5 |
| apple | macos | >= unspecified < 14.7 | 14.7 |
| apple | macos | >= unspecified < 7.6 | 7.6 |
| apple | macos_big_sur | — | — |
| apple | watchos | < 7.6.1 | 7.6.1 |
| apple | watchos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable component is IOMobileFrameBuffer — monitor for unexpected applications interacting with or exploiting the IOMobileFrameBuffer kernel extension on Apple platforms (iOS, iPadOS, macOS, watchOS) ↗
- →Flag any application on Apple devices (iOS 14.7 and below, macOS Big Sur 11.5 and below, watchOS 7.6 and below) that achieves kernel-level code execution via a memory corruption path in IOMobileFrameBuffer — indicative of active in-the-wild exploitation ↗
- →CISA flagged this as a Known Exploited Vulnerability; prioritize detection on unpatched Apple devices running iOS/iPadOS < 14.7.1, macOS Big Sur < 11.5.1, and watchOS < 7.6.1 ↗
- ·Exploitation is memory-corruption based within the IOMobileFrameBuffer kernel component; no public PoC hashes, network IOCs, or specific malicious filenames were disclosed in available sources — detection must rely on behavioral/kernel telemetry rather than static signatures ↗
- ·Apple confirmed active in-the-wild exploitation but has not publicly attributed the exploit to a specific threat actor or malware family in these advisories ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple Multiple Products Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2021-30807 [HIGH] CWE-787 Apple Multiple Products Memory Corruption Vulnerability
Vulnerability: Apple Multiple Products Memory Corruption Vulnerability
Affected: Apple Multiple Products
Apple iOS, iPadOS, macOS, and watchOS IOMobileFrameBuffer contain a memory corruption vulnerability which may allow an application to execute code with kernel privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-30807
Remediation Due Date: 2021-11-17
Apple
CVE-2021-30807: watchOS 7.6.1
vendor_apple·2021-07-29·CVSS 7.8
CVE-2021-30807 [HIGH] CVE-2021-30807: watchOS 7.6.1
Apple Security Update: About the security content of watchOS 7.6.1
Product: watchOS
Version: 7.6.1
CVE: CVE-2021-30807
Component: IOMobileFrameBuffer
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2021-30807: macOS Big Sur 11.5.1
vendor_apple·2021-07-26·CVSS 7.8
CVE-2021-30807 [HIGH] CVE-2021-30807: macOS Big Sur 11.5.1
Apple Security Update: About the security content of macOS Big Sur 11.5.1
Product: macOS Big Sur
Version: 11.5.1
CVE: CVE-2021-30807
Component: IOMobileFrameBuffer
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2021-30807: iOS 14.7.1 and iPadOS 14.7.1
vendor_apple·2021-07-26·CVSS 7.8
CVE-2021-30807 [HIGH] CVE-2021-30807: iOS 14.7.1 and iPadOS 14.7.1
Apple Security Update: About the security content of iOS 14.7.1 and iPadOS 14.7.1
Product: iOS 14.7.1 and iPadOS
Version: 14.7.1
CVE: CVE-2021-30807
Component: IOMobileFrameBuffer
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved memory handling.
GHSA
GHSA-676h-wcx2-4w5q: A memory corruption issue was addressed with improved memory handling
ghsa_unreviewed·2022-05-24
CVE-2021-30807 [HIGH] CWE-787 GHSA-676h-wcx2-4w5q: A memory corruption issue was addressed with improved memory handling
A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Project0
The More You Know, The More You Know You Don’t Know - Project Zero
project_zero·2022-04-01
CVE-2016-4654 The More You Know, The More You Know You Don’t Know - Project Zero
A Year in Review of 0-days Used In-the-Wild in 2021
Posted by Maddie Stone, Google Project Zero
This is our third annual year in review of 0-days exploited in-the-wild [2020, 2019]. Each year we’ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you’re interested in the analysis of individual exploits, please check out our root cause analysis repository.
We perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for
VulnCheck
Apple Multiple Products Memory Corruption Vulnerability
vulncheck·2021·CVSS 7.8
CVE-2021-30807 [HIGH] CWE-787 Apple Multiple Products Memory Corruption Vulnerability
Apple Multiple Products Memory Corruption Vulnerability
Apple iOS, iPadOS, macOS, and watchOS IOMobileFrameBuffer contain a memory corruption vulnerability which may allow an application to execute code with kernel privileges.
Affected: Apple Multiple Products
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.apple.com/kb/HT212622; https://support.apple.com/kb/HT212623; https://support.apple.com/kb/HT212713; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://resources.jamf.com/documents/technical-papers/Coldintro-Coldinvite-Mystery-v2.0.pdf
Exploit PoC: https://vulncheck.com/xdb/227b555675d3; https://vulnchec
No detection rules found.
No public exploits indexed.
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices
blogs_qualys·2021-10-18·CVSS 7.0
[HIGH] Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices
Apple recently released iOS and iPadOS 15.0.2 as an emergency security update that addresses 1 critical zero-day vulnerabilities, which is exploited in wild. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version. “ Apple is aware of a report that this issue may have been actively exploited ,” the company said in security advisories .
This year, Apple has released multiple emergency releases to fix the actively exploited vulnerabilities which Apple is aware of a report that this issue may have been actively exploited . Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges, and spyware like Pegasus can be easily deployed on affect devices, and exploiting other vul
Qualys
Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys
blogs_qualys·2021-10-18·CVSS 7.0
[HIGH] Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices | Qualys
Apple recently released iOS and iPadOS 15.0.2 as an emergency security update that addresses 1 critical zero-day vulnerabilities, which is exploited in wild. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version. “Apple is aware of a report that this issue may have been actively exploited,” the company said in security advisories.
This year, Apple has released multiple emergency releases to fix the actively exploited vulnerabilities which Apple is aware of a report that this issue may have been actively exploited. Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges, and spyware like Pegasus can be easily deployed on affect devices, and exploiting other vulnera
Checkpoint
2nd August – Threat Intelligence Report
blogs_checkpoint·2021-08-02
CVE-2021-30807 2nd August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd August, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The company that manages COVID-19 vaccination appointments in the Lazio Region in Italy has been hit by ransomware. The attack took down its IT systems, making the booking site unreachable and suspending the vaccination of the entire region surrounding Rome.
Check Point Harmony Endpoint provides protection against this threa
Qualys
iOS and iPadOS 14.7 and 14.7.1 Security Update: Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices | Qualys
blogs_qualys·2021-07-28·CVSS 7.8
[HIGH] iOS and iPadOS 14.7 and 14.7.1 Security Update: Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices | Qualys
Apple recently released iOS and iPadOS 14.7 and 14.7.1 which include a security update that addresses almost 38 vulnerabilities, among them several critical RCE and privilege escalation vulnerabilities. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version.
The vulnerabilities affect iOS and iPadOS components including ImageIO, Kernel, Preferences, Model I/O, Image Processing, WebKit, FontParser, and others. Apple has for the third time released a minor release (14.7.1) after a major release (14.7) to fix a critical vulnerability (CVE-2021-30807) that has been actively exploited. Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges. Spyware like Pegasus might e
Qualys
iOS and iPadOS 14.7 and 14.7.1 Security Update: Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices
blogs_qualys·2021-07-28·CVSS 7.8
[HIGH] iOS and iPadOS 14.7 and 14.7.1 Security Update: Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices
Apple recently released iOS and iPadOS 14.7 and 14.7.1 which include a security update that addresses almost 38 vulnerabilities, among them several critical RCE and privilege escalation vulnerabilities. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version.
The vulnerabilities affect iOS and iPadOS components including ImageIO, Kernel, Preferences, Model I/O, Image Processing, WebKit, FontParser, and others. Apple has for the third time released a minor release (14.7.1) after a major release (14.7) to fix a critical vulnerability (CVE-2021-30807) that has been actively exploited. Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges. Spyware like Pegasus might e
https://support.apple.com/en-us/HT212622https://support.apple.com/en-us/HT212623https://support.apple.com/en-us/HT212713https://support.apple.com/en-us/HT212622https://support.apple.com/en-us/HT212623https://support.apple.com/en-us/HT212713https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30807
2021-10-19
Published
2021-11-03
Added to CISA KEV
Exploited in the wild