CVE-2021-30761

What is Apple WebKit on iOS?

WebKit is Apple's open-source web browser engine powering Safari and all third-party browsers on iOS. On iOS, Apple's App Store policy mandates that all browsers use WebKit — Chrome, Firefox, Edge, and every other iOS browser processes web content through WebKit, not their own engines. This means a WebKit vulnerability affects every browser on iOS simultaneously. iOS 12 continued to receive security updates for legacy devices (iPhone 5s, iPhone 6, older iPads) that could not run iOS 14, making targeted patching of iOS 12 zero-days critical for protecting users on older hardware.

Overview

CVE-2021-30761 is an out-of-bounds write vulnerability (CWE-787) in Apple iOS WebKit that enables code execution when processing specially crafted web content. Apple patched this in iOS 12.5.4 (June 14, 2021) as an emergency out-of-band update for legacy iOS 12 devices, confirming "may have been actively exploited." The companion CVE-2021-30762 (a WebKit use-after-free) was patched in the same release. Both vulnerabilities targeted users on older iPhones and iPads running iOS 12 — devices that cannot run iOS 14/15 — which are disproportionately held by users in regions and demographics targeted by commercial surveillance operations.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in WebKit — a write operation exceeds the bounds of an allocated buffer in the HTML/JavaScript processing pipeline, causing heap corruption exploitable for code execution
• iOS 12 scope: The product field "iOS" (not "Multiple Products") indicates this vulnerability specifically affected the iOS 12 codebase — the WebKit version shipping with iOS 12 for legacy devices
• All iOS 12 browsers affected: On iOS 12, all browsers (Safari, Chrome, Firefox) use WebKit — the vulnerability affected every browser simultaneously
• Exploit delivery: Victim visits a malicious web page or opens a malicious HTML document (UI:R) — typically delivered via iMessage link, SMS, or email
• Zero-day confirmation: Apple's emergency iOS 12.5.4 release (outside the normal update cycle) and "may have been actively exploited" language confirm targeting of legacy iOS 12 device users in active surveillance operations
• Chain component: WebKit code execution is the first stage in iOS exploit chains; a companion kernel exploit provides sandbox escape and full device control

Discovery

Reported to Apple and patched in the June 14, 2021 iOS 12.5.4 emergency release alongside CVE-2021-30762. The emergency patch specifically for iOS 12 (legacy devices) suggests exploitation was actively targeting users unable to upgrade to iOS 14.

Exploitation Context

iOS 12 users — running on devices too old for iOS 14 — are a specific target demographic for commercial spyware because: (1) they cannot receive iOS 14's enhanced security features, (2) their devices are common in developing regions with high-value surveillance targets, and (3) iOS 12 exploit chains have a larger addressable target population since many users never update. CVE-2021-30761 and CVE-2021-30762 represent paired WebKit zero-days specifically exploiting the iOS 12 codebase for this demographic.

Remediation

1. Update iOS 12 to 12.5.4 or later — for iPhone 5s, iPhone 6, iPad mini 2, iPad mini 3, iPad Air, and iPod touch 6th generation
2. If the device supports iOS 14 or later, upgrade to the current iOS version for the full suite of security improvements
3. For devices that cannot be updated beyond iOS 12 and cannot receive further updates: consider replacing the device — legacy devices with no further update support are permanently vulnerable to subsequently discovered exploits
4. Enable automatic software updates if available: Settings → General → Software Update → Automatic Updates