CVE-2021-30665

What is Apple WebKit?

WebKit is Apple's open-source web browser engine powering Safari on iOS, iPadOS, macOS, watchOS, and tvOS. On iOS and iPadOS, WebKit is mandatory for all browsers — Apple's App Store rules require all third-party browsers (Chrome, Firefox, etc.) to use WebKit rather than their own rendering engines, meaning a WebKit vulnerability affects every iOS/iPadOS browser simultaneously. WebKit processes untrusted HTML, CSS, and JavaScript from web pages — out-of-bounds write vulnerabilities in WebKit can be triggered by visiting a malicious page and exploited for code execution in the renderer process.

Overview

CVE-2021-30665 is an out-of-bounds write (memory corruption) vulnerability (CWE-787) in Apple WebKit, affecting iOS, iPadOS, macOS, watchOS, and tvOS. Processing specially crafted web content triggers a write operation beyond the bounds of an allocated buffer in WebKit, enabling heap corruption and code execution in the WebKit renderer process. Apple patched this in the May 3, 2021 emergency updates (iOS 14.5.1, iOS 12.5.3), acknowledging "may have been actively exploited" — indicating zero-day exploitation. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in WebKit — attacker-controlled web content causes WebKit to write data beyond the end of an allocated buffer in the HTML rendering or JavaScript processing pipeline, corrupting adjacent heap memory
• Heap corruption → code execution: An OOB write in WebKit enables heap layout manipulation to achieve type confusion or function pointer corruption, providing a path to code execution in the WebKit renderer process (WebContent on iOS)
• iOS browser scope: All iOS browsers use WebKit — this vulnerability affected Safari, Chrome for iOS, Firefox for iOS, and every other iOS browser simultaneously
• Zero-day exploitation: Apple's emergency May 3, 2021 patch (outside the normal monthly update cycle) and "may have been actively exploited" language confirm zero-day use in targeted attacks
• Exploit chain position: WebKit OOB write provides the first stage of iOS exploit chains — renderer code execution is followed by a kernel exploit for sandbox escape and full device control
• Delivery: Victim visits a malicious web page (UI:R), triggering the exploit via crafted JavaScript/HTML

Discovery

Reported to Apple and patched in the May 2021 emergency updates alongside CVE-2021-30661 (WebKit Storage UAF). Both vulnerabilities received the same emergency patches targeting the same version of iOS, suggesting they were discovered and reported together as part of the same research or exploitation campaign analysis.

Exploitation Context

The simultaneous May 2021 emergency patching of multiple WebKit zero-days (CVE-2021-30661 and CVE-2021-30665) suggests a coordinated disclosure of multiple bugs found in the same WebKit codebase, possibly discovered during analysis of an active exploit chain. WebKit memory corruption zero-days are the primary initial access mechanism for iOS-targeted surveillance operations. The same-day release of iOS 12.5.3 (for devices unable to run iOS 14) indicates Apple's assessment that targets of the exploitation included users on older hardware.

Remediation

1. Update iOS/iPadOS to 14.5.1 or later (any current iOS release contains the fix)
2. For older devices on iOS 12: update to iOS 12.5.3 or later
3. Update macOS to Big Sur 11.4 or later; watchOS to 7.4.1 or later; tvOS to 14.6 or later
4. Enable automatic software updates on all Apple devices: Settings → General → Software Update → Automatic Updates
5. Be alert to unexpected browser crashes or performance anomalies when visiting unknown links — WebKit exploits can be triggered by links delivered via iMessage, email, or QR codes