CVE-2021-30858

What is Apple WebKit?

WebKit is Apple's open-source web browser engine powering Safari on iOS, iPadOS, macOS, watchOS, and tvOS. On iOS and iPadOS, all browsers are required to use WebKit by Apple's App Store policy — meaning Safari, Chrome, Firefox, and every other iOS browser process web content through WebKit simultaneously. WebKit processes untrusted HTML, CSS, and JavaScript from web pages and iMessage content. Use-after-free vulnerabilities in WebKit allow code execution in the browser renderer process by navigating to a malicious page or receiving crafted web content.

Overview

CVE-2021-30858 is a use-after-free vulnerability (CWE-416) in Apple WebKit affecting iOS, iPadOS, and macOS. Apple patched it in the September 13, 2021 emergency release (iOS 14.8, macOS 11.6), acknowledging "may have been actively exploited." This patch was released the same day that Citizen Lab published their FORCEDENTRY research — revealing the NSO Group Pegasus zero-click iMessage exploit chain that targeted Apple devices. CVE-2021-30858 (WebKit UAF) was patched alongside the FORCEDENTRY vulnerability CVE-2021-30860 (CoreGraphics integer overflow) and the kernel escalation CVE-2021-30869 (XNU type confusion) — all three components of the September 2021 emergency iOS patch represent the defensive response to the Pegasus exploit chain.

Affected Versions

Technical Details

• Root cause: Use-after-free (CWE-416) in WebKit — a WebKit renderer object is freed while a reference to it remains active; attacker-controlled web content triggers the UAF to corrupt WebKit's heap, achieving code execution in the WebContent renderer process
• UAF exploitation: A WebKit UAF is used to achieve type confusion by controlling what data occupies the freed memory location, leading to a memory read/write primitive and ultimately code execution in the renderer
• FORCEDENTRY context: CVE-2021-30858 was patched alongside CVE-2021-30860 (CoreGraphics FORCEDENTRY) and CVE-2021-30869 (XNU kernel type confusion) — Apple's September 2021 emergency patch addressed multiple components of the NSO Group Pegasus exploit infrastructure simultaneously
• Delivery: In WebKit zero-day contexts, initial execution is typically achieved via malicious web content delivered through iMessage (enabling near-zero-click exploitation when processing link previews) or through direct navigation to a malicious page

Discovery

Reported to Apple in connection with the Citizen Lab FORCEDENTRY investigation. The coordinated disclosure of multiple related zero-days (30858, 30860, 30869) in the same emergency patch reflects Citizen Lab's thorough analysis of the complete Pegasus exploit chain.

Exploitation Context

The September 13, 2021 emergency iOS patch is one of the most significant in Apple's history — it was issued in direct response to Citizen Lab's discovery of FORCEDENTRY, the NSO Group Pegasus exploit used against Saudi activist Saar Arif's iPhone and others. CVE-2021-30858 represents the WebKit exploitation component in a chain that also required a CoreGraphics bug (CVE-2021-30860) and a kernel exploit (CVE-2021-30869) for complete device compromise. Pegasus spyware, once installed via this chain, provided NSO Group's government customers with full device control including call interception, message reading, camera activation, and real-time location tracking.

Remediation

1. Update iOS/iPadOS to 14.8 or later (any current iOS release contains the fix)
2. Update macOS to Big Sur 11.6 or later
3. Enable automatic software updates: Settings → General → Software Update → Automatic Updates
4. If compromise is suspected, use Amnesty International's MVT (Mobile Verification Toolkit) or Citizen Lab's detection methods to check for Pegasus indicators on iOS devices
5. Note that patching CVE-2021-30858 alone is insufficient if CVE-2021-30860 and CVE-2021-30869 remain unpatched — all three are fixed in iOS 14.8