What is Apple WebKit?
WebKit is Apple's open-source web browser engine that renders all web content on iOS, iPadOS, macOS, watchOS, and tvOS — used by Safari and, on iOS/iPadOS, required for all browsers by App Store policy. WebKit processes complex, attacker-controlled HTML, CSS, JavaScript, and multimedia content. Type confusion vulnerabilities in WebKit's JavaScript engine (JavaScriptCore) occur when the engine accesses a JavaScript value as the wrong internal type — enabling attackers to craft JavaScript that confuses WebKit's type system, creating memory corruption primitives that lead to code execution in the WebKit renderer process.
Overview
CVE-2021-1789 is a type confusion vulnerability (CWE-843) in Apple WebKit that allows processing of maliciously crafted web content to lead to arbitrary code execution. Apple patched this in iOS 14.4 (January 26, 2021), alongside the kernel escalation zero-day CVE-2021-1782 — indicating CVE-2021-1789 was the WebKit renderer stage of a two-vulnerability iOS exploit chain. The simultaneous patching of browser and kernel zero-days is Apple's standard response to discovering a complete exploit chain in the wild. CISA added CVE-2021-1789 to the KEV catalog in May 2022 — fifteen months after the patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS before 14.4 | Yes | iOS 14.4 (January 26, 2021) |
| iPadOS before 14.4 | Yes | iPadOS 14.4 (January 26, 2021) |
| macOS Big Sur before 11.2 | Yes | macOS Big Sur 11.2 (January 26, 2021) |
| Safari before 14.0.3 | Yes | Safari 14.0.3 (January 26, 2021) |
Technical Details
- Root cause: Type confusion (CWE-843) in WebKit's JavaScript engine — the engine accesses a JavaScript object as an incorrect internal type; attacker-crafted JavaScript manipulates WebKit's type assumption about an object, creating an exploitable memory access at an incorrect offset
- Renderer code execution: Successful type confusion exploitation achieves arbitrary code execution in the WebKit renderer process — this is sandboxed on iOS, requiring a kernel escalation (CVE-2021-1782) for complete device compromise
- Zero-day chain: CVE-2021-1789 (WebKit type confusion, renderer RCE) + CVE-2021-1782 (XNU kernel race condition, SYSTEM escalation) = complete iOS exploit chain; Apple's simultaneous patching of both confirms they were used together in an active exploit
- Web content delivery: The exploit is delivered via a malicious web page, iMessage link preview, or any vector that causes WebKit to render attacker-controlled content — on iOS, this is universal since all browsers use WebKit
- Multiple platform scope: WebKit is shared across iOS, macOS, and watchOS — the type confusion exists in the JavaScriptCore engine common to all platforms, hence the "Multiple Products" classification
Discovery
Discovered as part of the same research or incident response that identified CVE-2021-1782 (XNU kernel race condition). Both were reported to Apple and patched simultaneously in January 2021, indicating they were observed being used together in a complete exploit chain. The May 2022 CISA KEV addition (fifteen months after patch) reflects continued exploitation against devices running iOS older than 14.4.
Exploitation Context
The January 2021 iOS 14.4 emergency release addressed a complete exploit chain discovered in the wild. CVE-2021-1789 (WebKit type confusion) serves as the initial code execution stage — converting a web page visit into sandboxed renderer code execution. This is then paired with CVE-2021-1782 (kernel LPE) to break out of the sandbox and gain persistent device access. This pattern is characteristic of commercial surveillance spyware delivery, where a single iMessage or web page visit triggers the complete chain invisibly. The fifteen-month gap between patch and CISA KEV addition reflects the pace of evidence accumulation from device forensics in high-priority investigations.
Remediation
- Update iOS/iPadOS to 14.4 or later — any current iOS release contains the fix
- Update macOS to Big Sur 11.2 or later; Safari to 14.0.3 or later
- Enable automatic updates: Settings → General → Software Update → Automatic Updates (iOS)
- The complete January 2021 exploit chain (CVE-2021-1789 + CVE-2021-1782) is fixed in the same iOS 14.4 update — a single update addresses both chain components
- Lockdown Mode (iOS 16+) significantly restricts WebKit's attack surface by disabling link previews, web content features, and other surfaces that WebKit type confusion exploits commonly target
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-1789 |
| Vendor / Product | Apple — Multiple Products |
| NVD Published | 2021-04-02 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2022-05-04 |
| CISA KEV Deadline | 2022-05-25 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-01-26 | Apple releases iOS 14.4, iPadOS 14.4, and macOS Big Sur 11.2 patching CVE-2021-1789 (WebKit type confusion) alongside CVE-2021-1782 (XNU kernel race condition) |
| 2021-04-02 | CVE published |
| 2022-05-04 | Added to CISA Known Exploited Vulnerabilities catalog — 15 months after patch |
| 2022-05-25 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 14.4 and iPadOS 14.4 | Vendor Advisory |
| Apple Security Advisory — macOS Big Sur 11.2 | Vendor Advisory |
| NVD — CVE-2021-1789 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |