What is Apple WebKit?
WebKit is the open-source browser engine developed by Apple that powers Safari on iOS, iPadOS, macOS, watchOS, and tvOS. Because iOS requires all third-party browsers to use WebKit (not their own engines), WebKit vulnerabilities affect Chrome, Firefox, and all other iOS browsers equally — not just Safari. WebKit processes untrusted web content from the internet, making it one of the highest-value attack surfaces on Apple devices. Remote code execution in WebKit typically serves as the first stage of a full device compromise, chained with a privilege escalation vulnerability to escape the WebKit sandbox and achieve full device access.
Overview
CVE-2021-1870 is a remote code execution vulnerability in WebKit caused by a logic error in the JavaScript engine's processing of maliciously crafted web content. An attacker who delivers a malicious web page (via web browser, messaging app WebView, or any app that renders web content) can exploit this logic error to execute arbitrary code in the WebKit process on the victim's device. Apple released emergency out-of-band patches on March 26, 2021 — ahead of the normal monthly release cycle — with the note that Apple was "aware of a report that this issue may have been actively exploited." CVE-2021-1870 was patched alongside the companion CVE-2021-1871 in the same emergency release. Both were actively exploited zero-days. The lack of technical details reflects Apple's standard practice of withholding exploit information to protect users during patching windows.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS before 14.4.2 | Yes | iOS 14.4.2 |
| iPadOS before 14.4.2 | Yes | iPadOS 14.4.2 |
| watchOS before 7.3.3 | Yes | watchOS 7.3.3 |
| macOS Big Sur (Safari before 14.0.3) | Yes | Safari 14.0.3 |
Technical Details
The vulnerability is a logic error in WebKit's JavaScript engine processing:
- Root cause: Logic error (not a typical memory corruption bug) in WebKit's handling of maliciously crafted web content — specific JavaScript constructs or DOM manipulations trigger an incorrect code path that leads to arbitrary code execution
- Attack vector: Any application on iOS/iPadOS that displays web content is potentially vulnerable — including Safari, in-app browsers (WKWebView), and messaging apps that render HTML content
- No user interaction needed beyond loading a page: Simply visiting a malicious URL in Safari or receiving a message with a malicious link preview can trigger exploitation
- Chain behavior: In known exploitation, WebKit RCE vulnerabilities are typically chained with a kernel privilege escalation (sandbox escape) to achieve full device compromise — WebKit RCE alone executes code in the browser sandbox, not as root
- Zero-day at time of patch: Apple confirmed active exploitation before the patch was released — this was not a theoretical vulnerability
Discovery
Reporter details were not disclosed by Apple at the time of the advisory, which is typical for actively exploited zero-day vulnerabilities. The emergency March 26, 2021 patch release — covering both CVE-2021-1870 and CVE-2021-1871 simultaneously — suggests these were discovered in the context of a targeted attack requiring two WebKit bugs to achieve the desired impact.
Exploitation Context
Apple WebKit zero-days are almost exclusively used in highly targeted attacks — commercial spyware operators (like NSO Group), nation-state actors, and surveillance tool vendors use these bugs to compromise specific individuals of interest (journalists, activists, government officials, business executives). Mass exploitation of WebKit zero-days is rare because they are expensive to acquire and maintain. The active exploitation acknowledgment in Apple's advisory indicates these were being used in the wild against real targets before the patch was released.
Remediation
- Update to iOS 14.4.2, iPadOS 14.4.2, watchOS 7.3.3 immediately — these patches were released out-of-band to address actively exploited zero-days
- Enable automatic updates on all Apple devices to receive security patches promptly
- If targeted attack is suspected: check for indicators of compromise using a mobile forensics tool such as Amnesty International's MVT (Mobile Verification Toolkit) against a device backup
- For organizations with high-value individuals (executives, legal, HR): enforce rapid mobile patch deployment policies given the targeted nature of Apple WebKit zero-day exploitation
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-1870 |
| Vendor / Product | Apple — iOS, iPadOS, and macOS |
| NVD Published | 2021-04-02 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-03-26 | Apple releases iOS 14.4.2, iPadOS 14.4.2, watchOS 7.3.3, and Safari 14.0.3 emergency patches for actively exploited zero-days CVE-2021-1870 and CVE-2021-1871 |
| 2021-04-02 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 14.4.2 and iPadOS 14.4.2 | Vendor Advisory |
| NVD — CVE-2021-1870 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |