What is the Apple XNU Kernel and Race Conditions?
XNU (X is Not Unix) is the hybrid operating system kernel at the core of iOS, iPadOS, macOS, watchOS, and tvOS. It combines the Mach microkernel with FreeBSD components and manages all security enforcement, process isolation, hardware access, and memory management on Apple platforms. Race condition vulnerabilities (CWE-667) in the kernel arise when concurrent operations access shared kernel resources without adequate synchronization — if an attacker can win the race between two kernel operations (e.g., free a resource in one thread while it's being accessed in another), they can create exploitable memory corruption or bypassed security checks. Apple kernel race condition zero-days are among the most sophisticated iPhone exploits, as they require precise timing and are typically used by well-resourced threat actors.
Overview
CVE-2021-1782 is a race condition vulnerability (CWE-667) in the Apple XNU kernel affecting iOS, iPadOS, macOS, watchOS, and tvOS. A malicious application can exploit the race condition to elevate privileges to root — bypassing the iOS app sandbox and gaining complete device control. Apple patched this in the January 26, 2021 software release (iOS 14.4, macOS 11.2), acknowledging that it "may have been actively exploited." This zero-day was patched alongside CVE-2021-1870 (WebKit SSRF) and CVE-2021-1871 (WebKit logic issue) — suggesting a complete zero-click or near-zero-click exploit chain targeting iOS devices. CISA added it to the KEV catalog in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS before 14.4 | Yes | iOS 14.4 (January 26, 2021) |
| iPadOS before 14.4 | Yes | iPadOS 14.4 (January 26, 2021) |
| macOS Big Sur before 11.2 | Yes | macOS Big Sur 11.2 (January 26, 2021) |
| watchOS before 7.3 | Yes | watchOS 7.3 (January 26, 2021) |
| tvOS before 14.4 | Yes | tvOS 14.4 (January 26, 2021) |
Technical Details
- Root cause: Race condition / improper locking (CWE-667) in the XNU kernel — two concurrent kernel operations access a shared kernel resource without proper synchronization; an attacker who can win the race (time-of-check to time-of-use) corrupts kernel state in a way that bypasses security checks or corrupts memory
- Privilege escalation: Exploiting the kernel race condition elevates a malicious app from sandboxed user-mode execution to root/kernel-level code execution — bypassing all iOS app sandbox restrictions and achieving complete device control
- High complexity (AC:H): Race conditions require precise timing to exploit reliably — the attacker must trigger the vulnerable code path in a very specific sequence relative to competing kernel operations. AC:H reflects this exploitation complexity
- January 2021 zero-day cluster: The simultaneous patching of CVE-2021-1782 (kernel LPE), CVE-2021-1870 (WebKit SSRF), and CVE-2021-1871 (WebKit logic) in iOS 14.4 suggests these three bugs were components of a complete iOS exploit chain — browser/WebKit stage for initial code execution, kernel stage for sandbox escape
- Cross-platform scope: The race condition exists in the shared XNU kernel code affecting iOS, macOS, watchOS, and tvOS — reflecting a fundamental kernel flaw rather than a platform-specific component bug
Discovery
Discovered and reported to Apple as an actively-exploited zero-day. Apple's January 2021 iOS 14.4 advisory acknowledged the "may have been actively exploited" qualifier — Apple's standard language for confirmed zero-day exploitation at the time of patch. The exploitation context (kernel LPE patched alongside WebKit bugs) is consistent with commercial surveillance operations using complete exploit chains.
Exploitation Context
The January 2021 iOS 14.4 zero-day cluster (CVE-2021-1782 kernel LPE + CVE-2021-1870/1871 WebKit) is consistent with commercial spyware deployment: sophisticated threat actors combine a WebKit renderer exploit for initial code execution with a kernel privilege escalation to break out of the iOS sandbox and achieve persistent device access. The November 2021 CISA KEV addition — ten months after the patch — reflects ongoing exploitation against iOS devices running versions older than 14.4, consistent with commercial surveillance operators who continue using known-patched exploit chains against targets with delayed update adoption.
Remediation
- Update iOS/iPadOS to 14.4 or later — any current iOS release contains the fix
- Update macOS to Big Sur 11.2 or later; watchOS to 7.3 or later; tvOS to 14.4 or later
- Enable automatic software updates on all Apple devices: Settings → General → Software Update → Automatic Updates
- For enterprise MDM environments: enforce minimum OS version policies and immediately flag devices below iOS 14.4 for remediation
- Consider Lockdown Mode (iOS 16+) for high-risk users — reduces the attack surface for the WebKit-stage exploits that typically precede kernel LPE exploitation
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-1782 |
| Vendor / Product | Apple — Multiple Products |
| NVD Published | 2021-04-02 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 7 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-667 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-01-26 | Apple releases iOS 14.4, iPadOS 14.4, macOS 11.2, watchOS 7.3, and tvOS 14.4 — patches CVE-2021-1782 alongside CVE-2021-1870 and CVE-2021-1871; Apple acknowledges 'may have been actively exploited' |
| 2021-04-02 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 14.4 and iPadOS 14.4 | Vendor Advisory |
| NVD — CVE-2021-1782 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |