CVE-2021-30666

What is Apple WebKit on iOS?

WebKit is Apple's open-source web browser engine powering Safari and all third-party browsers on iOS. On iOS, Apple's App Store policy mandates that all browsers use WebKit — meaning Chrome, Firefox, Edge, and every other iOS browser processes web content through WebKit, not their own engines. A WebKit vulnerability on iOS is therefore universally applicable across all iOS browsers. The iOS WebKit runs in a sandboxed WebContent process; successful exploitation gives an attacker code execution within this process, typically requiring a follow-on kernel exploit for full device compromise.

Overview

CVE-2021-30666 is a buffer overflow vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in Apple iOS WebKit. Processing specially crafted web content triggers a buffer overflow condition that enables code execution in the WebKit renderer process. Apple patched this in iOS 12.5.3 (May 3, 2021), an emergency out-of-band update for older iOS devices, noting "may have been actively exploited." The product field notes iOS specifically — CVE-2021-30666 may have had a narrower affected range compared to companions CVE-2021-30661 and CVE-2021-30665, which affected both iOS 14.x and 12.x, as well as macOS and other platforms.

CISA added it to KEV in November 2021, confirming active exploitation of this WebKit bug in targeted attack chains.

Affected Versions

Technical Details

• Root cause: Buffer overflow (CWE-119) in WebKit — improper bounds checking on a buffer in the WebKit HTML rendering or JavaScript engine allows operations that exceed the buffer's allocated size, corrupting adjacent memory
• Heap/stack corruption: A buffer overflow in a browser engine processing attacker-controlled web content (HTML, CSS, JavaScript, media) creates a memory corruption primitive exploitable for code execution
• iOS WebKit scope: On iOS, this affects every browser that processes web content (Safari, Chrome for iOS, Firefox for iOS, etc.) via the mandatory WebKit requirement
• Code execution context: Exploitation achieves renderer process (WebContent) code execution — the first stage in an iOS exploit chain, typically followed by a kernel exploit for sandbox escape
• Delivery: Victim navigates to a malicious URL (UI:R) — typically delivered via iMessage link, email, or an embedded link in another app
• iOS 12 emergency patch: The iOS 12.5.3 release specifically addressing CVE-2021-30666 indicates Apple prioritized patching older devices, suggesting exploitation was targeting users on legacy hardware

Discovery

Reported to Apple and patched as part of the May 3, 2021 emergency update cluster alongside CVE-2021-30661 and CVE-2021-30665. Apple's emergency patch outside the normal update cycle confirms zero-day exploitation at the time of disclosure.

Exploitation Context

iOS WebKit zero-days are consistently valuable in targeted surveillance operations because all iOS browsers use WebKit. The focus on iOS 12 in the emergency patch reflects that attackers were targeting older iPhones (iPhone 5s, iPhone 6, and older iPad models) running iOS 12 — a demographic that includes users who cannot upgrade to iOS 14/15, often in developing countries or resource-constrained environments targeted by surveillance operations. Commercial spyware vendors specifically maintain exploit chains for multiple iOS versions to maximize the range of potential targets.

Remediation

1. For older devices on iOS 12: update to iOS 12.5.3 or later
2. For devices capable of running iOS 14: upgrade to iOS 14.5.1 or later (or any current iOS version)
3. Enable automatic software updates: Settings → General → Software Update → Automatic Updates
4. If your device no longer receives iOS updates (discontinued support), consider replacing it — unsupported devices cannot receive security patches for newly discovered vulnerabilities
5. For enterprise iOS fleet management: enforce minimum OS version policies via MDM and identify devices that can no longer receive security updates for priority replacement