CVE-2021-30663

What is Apple WebKit?

WebKit is Apple's open-source web browser engine powering Safari on iOS, iPadOS, macOS, watchOS, and tvOS. On iOS and iPadOS, WebKit is mandatory for all browsers — Apple's App Store rules require all third-party browsers (Chrome, Firefox, etc.) to use WebKit rather than their own rendering engines. This means that a WebKit vulnerability affects every browser on iOS and iPadOS simultaneously. WebKit processes untrusted HTML, CSS, and JavaScript from web pages — memory corruption vulnerabilities in WebKit can be triggered by visiting a malicious page, enabling code execution in the browser process.

Overview

CVE-2021-30663 is an integer overflow vulnerability (CWE-190) in Apple WebKit, affecting iOS, iPadOS, macOS, tvOS, and Safari. Processing specially crafted web content triggers an integer overflow that can lead to heap corruption and code execution in the WebKit renderer process. Apple patched this in iOS 14.5 (April 2021). CISA added it to KEV in November 2021, confirming active exploitation in the wild. Integer overflows in browser engines — where arithmetic on size values wraps around — typically lead to heap buffer overflows, providing a memory corruption primitive exploitable for code execution.

Affected Versions

Technical Details

• Root cause: Integer overflow (CWE-190) in WebKit — arithmetic on a size, length, or index value in the HTML/JavaScript processing pipeline overflows the integer range, resulting in an undersized buffer allocation or incorrect bounds check that leads to heap corruption
• Heap corruption → code execution: An integer overflow that leads to a heap buffer overflow or type confusion can be exploited by attacker-controlled JavaScript to achieve arbitrary read/write access within the WebKit renderer heap, and ultimately code execution in the browser process
• iOS browser scope: On iOS/iPadOS, all browsers use WebKit — this vulnerability affected Safari, Chrome, Firefox, and every other browser on iOS simultaneously
• Network delivery: The attacker hosts a malicious web page containing crafted HTML/JavaScript that triggers the integer overflow. The victim navigates to the page (UI:R), which is the only user action required
• Renderer context: Code execution is achieved in the WebKit renderer process (WebContent), which is sandboxed on iOS. A complete device compromise requires chaining with a separate kernel escalation exploit

Discovery

Reported to Apple by external security researchers. Patched in iOS 14.5 (April 26, 2021) as part of Apple's regular update cycle rather than an emergency patch, though CISA's later KEV addition confirms confirmed active exploitation.

Exploitation Context

WebKit integer overflow vulnerabilities are used in targeted mobile surveillance exploit chains. The April 2021 iOS 14.5 release contained fixes for multiple WebKit memory safety issues. The CISA KEV addition in November 2021 reflects that the vulnerability was being exploited against devices running iOS versions prior to 14.5 — a significant population given that users frequently delay iOS updates. WebKit code execution is the standard entry point for iOS exploit chains used by commercial spyware and nation-state actors.

Remediation

1. Update iOS/iPadOS to 14.5 or later — any current iOS release contains the fix
2. Update macOS to Big Sur 11.3 or later; update Safari to 14.1 or later on older macOS
3. Update tvOS to 14.5 or later
4. Enable automatic software updates on all Apple devices: Settings → General → Software Update → Automatic Updates
5. For enterprise iOS management: enforce minimum OS version policies via MDM to ensure all devices run at least iOS 14.5