CVE-2021-30762

What is Apple WebKit on iOS?

WebKit is Apple's open-source web browser engine powering Safari and all third-party browsers on iOS. On iOS, Apple's App Store policy mandates that all browsers use WebKit — Chrome, Firefox, Edge, and every other iOS browser processes web content through WebKit, not their own engines. This means a WebKit vulnerability affects every browser on iOS simultaneously. iOS 12 continued to receive emergency security patches for legacy devices (iPhone 5s, iPhone 6, older iPads) that could not run iOS 14, specifically for zero-day vulnerabilities being actively exploited against those older devices.

Overview

CVE-2021-30762 is a use-after-free vulnerability (CWE-416) in Apple iOS WebKit that enables code execution when processing specially crafted web content. Apple patched this in iOS 12.5.4 (June 14, 2021) as an emergency out-of-band update for legacy iOS 12 devices, confirming "may have been actively exploited." The companion CVE-2021-30761 (a WebKit out-of-bounds write) was patched in the same release. Together, these two WebKit zero-days were being exploited in targeted surveillance operations against users on older iPhones and iPads running iOS 12 — devices incapable of running iOS 14/15.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in WebKit — a JavaScript engine or HTML rendering object is freed while a reference to it remains accessible. Attacker-controlled web content can arrange for controlled data to occupy the freed memory, enabling type confusion and code execution in the WebKit renderer
• iOS 12 scope: The "iOS" product designation (not "Multiple Products") indicates this specifically affects the iOS 12 WebKit codebase for legacy devices, not the iOS 14 or macOS WebKit versions
• All iOS 12 browsers affected: Safari, Chrome, Firefox, and every browser on iOS 12 use WebKit — the UAF is triggerable through any browser
• Exploit delivery: The victim navigates to a malicious web page or follows a link (UI:R), which triggers the exploit. Zero-click variants are possible if an attacker can deliver web content through iMessage or other auto-rendering mechanisms
• UAF exploitation primitive: A WebKit UAF typically enables type confusion leading to arbitrary read/write in the WebKit heap, then code execution in the renderer (WebContent) process — the first stage in an iOS exploit chain

Discovery

Reported to Apple and patched alongside CVE-2021-30761 in the June 14, 2021 iOS 12.5.4 emergency release. The paired disclosure of two WebKit zero-days (OOB write + UAF) in the same iOS 12 emergency patch suggests they were discovered together during analysis of an active exploit chain targeting legacy iOS devices.

Exploitation Context

The iOS 12.5.4 emergency patch represents Apple's effort to protect legacy device users from targeted surveillance — these older iPhones and iPads are common among journalists, activists, and dissidents in regions where iOS 14 hardware is expensive or unavailable. Commercial spyware operators maintain exploit chains for multiple iOS versions to maximize target coverage. CVE-2021-30761 and CVE-2021-30762 represent the WebKit stage of such a chain, designed specifically for the iOS 12 codebase.

Remediation

1. Update iOS 12 to 12.5.4 or later — for iPhone 5s, iPhone 6, iPad mini 2/3, iPad Air, and iPod touch 6th generation
2. If the device supports iOS 14 or later, upgrade to the current iOS version — iOS 14+ has substantially more security hardening
3. Enable automatic software updates where available: Settings → General → Software Update → Automatic Updates
4. For devices at the end of iOS support lifecycle, prioritize hardware replacement — devices that cannot receive further security updates are permanently exposed to subsequently discovered exploits