CVE-2021-30661

What is Apple WebKit?

WebKit is Apple's open-source web browser engine powering Safari on iOS, iPadOS, macOS, watchOS, and tvOS. On iOS and iPadOS, WebKit is mandatory for all browsers — Apple's App Store rules require all third-party browsers (Chrome, Firefox, etc.) to use WebKit rather than their own rendering engines. This means that a WebKit vulnerability affects every browser on iOS and iPadOS, not just Safari. WebKit processes untrusted HTML, CSS, and JavaScript from web pages — memory corruption vulnerabilities in WebKit can be triggered simply by visiting a malicious page, enabling remote code execution in the browser process.

Overview

CVE-2021-30661 is a use-after-free vulnerability (CWE-416) in Apple WebKit's Storage subsystem, affecting iOS, iPadOS, macOS, tvOS, watchOS, and Safari. Processing specially crafted web content can trigger the UAF, allowing code execution in the WebKit renderer process. Apple patched this as a zero-day in May 2021 (iOS 14.5.1 emergency update), acknowledging that "this issue may have been actively exploited." Because iOS mandates WebKit for all browsers, every iOS user running Safari or any third-party browser was vulnerable until the patch was applied.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in WebKit's Storage subsystem — a browser storage management object is freed while a reference to it remains active in another code path. Attacker-controlled JavaScript can trigger the UAF condition and control the freed memory to corrupt WebKit's heap
• Renderer code execution: Exploiting the UAF achieves code execution in the WebKit renderer process (the sandboxed process that renders web pages). On iOS, the renderer runs in the WebContent process with reduced privileges
• iOS browser scope: On iOS, all browsers use WebKit — this vulnerability affected Safari, Chrome for iOS, Firefox for iOS, and every other iOS browser simultaneously
• Exploitation chain position: WebKit RCE is typically the first stage in iOS exploit chains (obtaining code execution in the browser process), followed by a kernel exploit (e.g., IOMobileFrameBuffer bugs) for sandbox escape and full device control
• Delivery: The victim navigates to a malicious web page (UI:R). Exploit delivery is typically via iMessage link, email link, or watering hole attack
• Active exploitation: Apple's "may have been actively exploited" disclosure language, combined with the emergency out-of-band patch release (rather than waiting for the monthly update cycle), confirms zero-day use in targeted attacks

Discovery

Reported to Apple by external security researchers. Apple's emergency May 3, 2021 releases (iOS 14.5.1, iOS 12.5.3) — released outside the normal update cadence — signal Apple's assessment of the severity and active exploitation risk.

Exploitation Context

WebKit zero-days in May 2021 were used in targeted mobile surveillance campaigns. The simultaneous release of iOS 14.5.1 and iOS 12.5.3 (supporting older devices back to iPhone 6) reflects that attackers were targeting users across the iOS device spectrum. iOS WebKit zero-days are primary tools for commercial mobile spyware (Pegasus, Predator, Hermit) and nation-state mobile exploitation — they provide the initial code execution needed to begin an exploit chain leading to full device compromise.

Remediation

1. Update iOS/iPadOS to 14.5.1 or later (any current iOS release contains the fix)
2. For older devices still on iOS 12: update to iOS 12.5.3 or later
3. Update macOS to Big Sur 11.4 or later, watchOS to 7.4.1 or later, tvOS to 14.6 or later
4. Enable automatic software updates on all Apple devices: Settings → General → Software Update → Automatic Updates
5. Be cautious of unexpected links via iMessage or email — WebKit zero-days are typically delivered via single-click links requiring no further user interaction beyond following the link