CVE-2021-1871

What is Apple WebKit?

WebKit is the browser rendering engine built into iOS, iPadOS, macOS, watchOS, and tvOS, and used exclusively by all browsers on iOS (Apple requires third-party browsers to use WebKit rather than their own engines). WebKit processes untrusted content from the internet and is a primary attack surface for remote code execution against Apple devices. Compromising WebKit is the first stage of a full device compromise chain — attackers typically pair a WebKit RCE with a kernel sandbox escape to achieve full persistent device access.

Overview

CVE-2021-1871 is a remote code execution vulnerability in WebKit caused by a logic error when processing maliciously crafted web content. It is the companion to CVE-2021-1870, and both were addressed in the same emergency iOS 14.4.2 / iPadOS 14.4.2 out-of-band release on March 26, 2021. Apple confirmed that both vulnerabilities "may have been actively exploited" at the time of the patch release, indicating zero-day exploitation against specific targets. Two separate WebKit logic errors being exploited simultaneously in the same attack suggests a sophisticated adversary with capability to chain WebKit bugs for reliable exploitation.

Affected Versions

Technical Details

CVE-2021-1871 shares characteristics with its companion CVE-2021-1870 — both are logic errors in WebKit rather than classic memory safety vulnerabilities:

• Root cause: Logic error in WebKit's processing of maliciously crafted web content — an incorrect code path is triggered by specific JavaScript or DOM constructs, enabling arbitrary code execution
• Attack surface: Any app on iOS/iPadOS that renders web content — Safari, in-app browsers (WKWebView), messaging apps with link previews
• No user interaction beyond page load: A user visiting a malicious URL or receiving a specially crafted message can trigger exploitation
• Paired exploitation: The simultaneous patching of CVE-2021-1870 and CVE-2021-1871 suggests they may be used together — for example, one bug for initial execution and the second for reliability or as a fallback
• Sandbox context: WebKit RCE executes code in the browser sandbox; additional bugs (not covered by these CVEs) are needed for full device compromise

Discovery

Attributed to Apple's internal Security Engineering and Architecture (SEAR) team in the advisory, alongside external reporters whose identities were not disclosed — consistent with discovery during analysis of an active attack targeting specific individuals.

Exploitation Context

These paired WebKit zero-days represent the type of vulnerability used by commercial surveillance tool operators and nation-state intelligence agencies to deploy spyware on target devices. The synchronized discovery and patching of two distinct WebKit logic errors in March 2021 suggests an adversary who had invested significantly in building a reliable exploit chain. Individuals at elevated risk of targeted surveillance — journalists, activists, political dissidents, government officials — should treat unpatched Apple devices as potentially compromised if they were not updated promptly after the March 26, 2021 emergency release.

Remediation

1. Update to iOS 14.4.2, iPadOS 14.4.2, watchOS 7.3.3 immediately — these out-of-band patches fix both CVE-2021-1870 and CVE-2021-1871
2. Enable automatic security updates on all Apple devices
3. If targeted compromise is suspected: use Amnesty International's MVT (Mobile Verification Toolkit) or a commercial mobile forensics tool to check device backup artifacts for spyware indicators
4. For organizations: enforce an accelerated mobile patch window for emergency Apple security updates — the out-of-band nature indicates confirmed exploitation against live targets