CVE-2021-30860

What is Apple CoreGraphics?

CoreGraphics is Apple's fundamental 2D rendering framework, used across iOS, iPadOS, macOS, and watchOS for drawing graphics, rendering PDFs, and processing images. CoreGraphics handles PDF file rendering in many Apple contexts, including iMessage link previews, document viewers, and Safari. As a framework that processes complex, attacker-controlled file formats (PDF, images, fonts), CoreGraphics vulnerabilities triggered by malicious documents are particularly dangerous — and particularly valuable to sophisticated threat actors who can exploit them via zero-click delivery mechanisms.

Overview

CVE-2021-30860 is an integer overflow vulnerability (CWE-190) in Apple CoreGraphics — better known as FORCEDENTRY (also called MEGALODON), the NSO Group Pegasus zero-click iMessage exploit discovered by Citizen Lab in September 2021. The vulnerability involves a flaw in CoreGraphics's parsing of JBIG2-compressed image data within PDF files. NSO Group exploited this by sending a malicious iMessage containing a crafted file that appeared as an innocent GIF but contained embedded PDF/JBIG2 data — when iMessage automatically processed the attachment to generate a preview, CoreGraphics parsed the JBIG2 content and triggered the integer overflow, achieving code execution with zero user interaction.

FORCEDENTRY is considered one of the most sophisticated iPhone exploits ever analyzed. Google Project Zero researchers described it as achieving "a remarkable technical accomplishment" that essentially implemented a virtual CPU in JBIG2 to bootstrap the exploit chain. Apple patched this in iOS 14.8 (September 13, 2021) and subsequently sued NSO Group over the exploitation.

Affected Versions

Technical Details

• Root cause: Integer overflow (CWE-190) in CoreGraphics's JBIG2 image compression decoder — arithmetic on size/length values overflows, causing incorrect buffer allocation and heap corruption when processing JBIG2-compressed image data embedded in PDF
• Zero-click delivery via iMessage: NSO Group packaged the malicious JBIG2 data as a fake GIF sent via iMessage. iMessage automatically processed the attachment to generate an inline preview — triggering CoreGraphics without any user action beyond receiving the message
• JBIG2 compute platform: Project Zero's analysis revealed that FORCEDENTRY used JBIG2's logical operations to implement a 64-bit adder and comparator — essentially building a Turing-complete compute environment within the CoreGraphics parser to bootstrap the full exploit chain
• Three-stage chain: CVE-2021-30860 (CoreGraphics, initial code execution via JBIG2) → CVE-2021-30858 (WebKit UAF, renderer access) → CVE-2021-30869 (XNU type confusion, kernel escalation) → complete Pegasus spyware installation with root persistence
• CVSS note: The AV:L/UI:R CVSS rating underrepresents the actual impact — in practice, FORCEDENTRY required NO user interaction; the "user interaction required" reflects the iMessage receipt event, not a user actively opening/clicking anything

Discovery

Discovered by Citizen Lab (University of Toronto) researchers while analyzing the iPhone of Saudi activist Saar Arif. Citizen Lab identified the exploit chain on September 7, 2021 and immediately notified Apple. Six days later, Apple released emergency patches. Citizen Lab and Google Project Zero subsequently published detailed technical analyses.

Exploitation Context

FORCEDENTRY represents a watershed moment in mobile surveillance: a fully weaponized, zero-click iOS exploit sold commercially to government customers by NSO Group. The exploit was used to install Pegasus spyware — providing real-time access to calls, messages, camera, microphone, and location — against journalists, activists, diplomats, and political opponents. The discovery of FORCEDENTRY on Bahraini activists' iPhones (analyzed by Citizen Lab) eventually led to Apple suing NSO Group (November 2021) and the US government adding NSO Group to the Entity List. This exploit demonstrated that even up-to-date iPhones could be compromised without any user interaction through a standard iMessage.

Remediation

1. Update iOS/iPadOS to 14.8 or later — any current iOS version contains the fix
2. Update macOS to Big Sur 11.6 or later; watchOS to 7.6.2 or later
3. Enable Lockdown Mode (iOS 16+) for high-risk individuals (journalists, activists, government officials) — Lockdown Mode significantly restricts attack surfaces including iMessage link previews and image processing
4. Enable iMessage filtering and be aware that FORCEDENTRY-style attacks require no user interaction — awareness alone does not protect against zero-click exploits
5. If Pegasus compromise is suspected, use Amnesty International's MVT tool or contact a digital forensics professional; a factory reset is required to remove Pegasus