⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-30858Use After Free in Apple IOS

CWE-416Use After Free14 documents10 sources
Severity
8.8HIGHNVD
EPSS
0.8%
top 26.00%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Apple IOSApple MacosApple Ipados+3 more
Timeline
PublishedAug 24
KEV addedNov 3
KEV dueNov 17
Latest updateApr 1
CISA Required Action: Apply updates per vendor instructions.

Description

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5apple/macosunspecified11.6
NVDapple/macos< 11.6
NVDapple/ipados13.114.8
CVEListV5apple/iosunspecified14.8
NVDapple/iphone_os13.014.8+1

Also affects: Debian Linux 10.0, 11.0, Fedora 33, 34

🔴Vulnerability Details

5
Project0
The More You Know, The More You Know You Don’t Know - Project Zero2022-04-01
OSV
CVE-2021-30858: A use after free issue was addressed with improved memory management2021-08-24
CVEList
CVE-2021-30858: A use after free issue was addressed with improved memory management2021-08-24
VulnCheck
Apple iOS, iPadOS, macOS Use-After-Free Vulnerability2021
Project0
Project Zero RCA: CVE-2021-30858

📋Vendor Advisories

8
CISA
Apple iOS, iPadOS, macOS Use-After-Free Vulnerability2021-11-03
Apple
CVE-2021-30858: iOS 12.5.52021-09-23
Ubuntu
WebKitGTK vulnerabilities2021-09-22
Red Hat
webkitgtk: Use-after-free leading to arbitrary code execution2021-09-20
Apple
CVE-2021-30858: iOS 14.8 and iPadOS 14.82021-09-13