⚠ Actively exploited
Added to CISA KEV on 2022-08-25. Federal agencies required to patch by 2022-09-15. Required action: Apply updates per vendor instructions..

CVE-2021-31010Deserialization of Untrusted Data in Apple Macos

CWE-502Deserialization of Untrusted DataCWE-20Improper Input Validation9 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.7%
top 27.45%
CISA KEV
KEV
Added 2022-08-25
Due 2022-09-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Apple MacosApple WatchosApple Ipados+2 more
Timeline
PublishedAug 24
KEV addedAug 25
KEV dueSep 15
CISA Required Action: Apply updates per vendor instructions.

Description

A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release..

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

CVEListV5apple/macosunspecified11.6+1
NVDapple/macos11.011.6
NVDapple/ipados< 14.8
CVEListV5apple/watchosunspecified7.6+2
NVDapple/watchos< 7.6.2

🔴Vulnerability Details

2
CVEList
CVE-2021-31010: A deserialization issue was addressed through improved validation2021-08-24
VulnCheck
Apple iOS, macOS, watchOS Sandbox Bypass Vulnerability2021

📋Vendor Advisories

6
CISA
Apple iOS, macOS, watchOS Sandbox Bypass Vulnerability2022-08-25
Apple
CVE-2021-31010: iOS 12.5.52021-09-23
Apple
CVE-2021-31010: iOS 14.8 and iPadOS 14.82021-09-13
Apple
CVE-2021-31010: Security Update 2021-005 Catalina2021-09-13
Apple
CVE-2021-31010: watchOS 7.6.22021-09-13
CVE-2021-31010 — Deserialization of Untrusted Data | cvebase