What is the Apple XNU Kernel?
XNU is the operating system kernel for macOS, iOS, iPadOS, watchOS, and tvOS — a hybrid kernel that combines the Mach microkernel and FreeBSD components. The XNU kernel enforces all security boundaries on Apple platforms: app sandboxing, process isolation, privilege separation, and access control to hardware and system resources. Type confusion vulnerabilities in XNU allow attackers with renderer-level code execution (from a WebKit or CoreGraphics exploit) to break out of the app sandbox and gain kernel-level code execution — the final step in achieving complete device control.
Overview
CVE-2021-30869 is a type confusion vulnerability (CWE-843) in the Apple XNU kernel, affecting iOS, iPadOS, and macOS. A malicious application that has achieved code execution in a sandboxed process can exploit the XNU type confusion to escalate to kernel-level code execution — bypassing the iOS sandbox and gaining complete control of the device. Apple patched this in iOS 14.8 (September 13, 2021) alongside the FORCEDENTRY exploit components CVE-2021-30860 (CoreGraphics integer overflow) and CVE-2021-30858 (WebKit UAF). CVE-2021-30869 represents the kernel escalation stage of the complete FORCEDENTRY chain used by NSO Group's Pegasus spyware.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS before 14.8 | Yes | iOS 14.8 (September 13, 2021) |
| iPadOS before 14.8 | Yes | iPadOS 14.8 (September 13, 2021) |
| macOS Big Sur before 11.6 | Yes | macOS 11.6 (September 13, 2021) |
Technical Details
- Root cause: Type confusion (CWE-843) in the XNU kernel — the kernel accesses a memory object as the wrong type, allowing an attacker to confuse the kernel's type system and achieve arbitrary kernel read/write, ultimately enabling kernel code execution
- Sandbox escape: XNU type confusion allows an attacker who has already achieved renderer-level code execution (via WebKit/CoreGraphics exploit) to break out of the iOS process sandbox and execute code with kernel (root) privileges
- Kernel code execution enables:
- Full device control (unrestricted access to all processes, files, memory)
- Disabling kernel security features (KASLR bypass, PAC bypass)
- Persistent spyware installation that survives app termination
- Access to all on-device data: messages, calls, photos, location, encrypted app data
- FORCEDENTRY chain position: CVE-2021-30860 (initial code execution via JBIG2) → CVE-2021-30858 (WebKit renderer access) → CVE-2021-30869 (kernel escalation via XNU) → complete Pegasus spyware installation
- Scope of impact: Once kernel code execution is achieved, Pegasus spyware installs with root persistence, surviving device restarts and maintaining real-time surveillance capability
Discovery
Identified as part of Citizen Lab's FORCEDENTRY analysis — the three-CVE September 2021 patch cluster (30858, 30860, 30869) reflects Apple's response to the complete Pegasus exploit chain. Citizen Lab discovered the chain on September 7, 2021; Apple patched all components six days later in a single emergency release.
Exploitation Context
CVE-2021-30869 is the kernel escalation component that converts WebKit renderer code execution into full device control in the Pegasus FORCEDENTRY chain. Without a kernel exploit like CVE-2021-30869, the attack chain would achieve only sandboxed renderer execution — dangerous but limited. With it, NSO Group's customers received complete, persistent device access including real-time call interception, encrypted message decryption (by reading from memory), camera activation, microphone recording, and GPS location tracking. The September 2021 emergency patch bundle (addressing all three chain components simultaneously) represents Apple's most aggressive response to commercial spyware exploitation to date.
Remediation
- Update iOS/iPadOS to 14.8 or later — any current iOS version contains the fix
- Update macOS to Big Sur 11.6 or later
- All three FORCEDENTRY components (CVE-2021-30858, CVE-2021-30860, and CVE-2021-30869) are fixed in iOS 14.8 — updating to this version addresses the complete chain
- Enable Lockdown Mode (iOS 16+) for high-risk individuals — this significantly restricts the attack surface that kernel escalation chains depend on
- If targeted surveillance is suspected: use Amnesty International's MVT tool; a factory reset is required to remove Pegasus persistent kernel implants
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-30869 |
| Vendor / Product | Apple — iOS, iPadOS, and macOS |
| NVD Published | 2021-08-24 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-843 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-09-13 | Apple releases iOS 14.8, iPadOS 14.8, and macOS 11.6 patching CVE-2021-30869 (XNU type confusion) alongside FORCEDENTRY CVE-2021-30860 and CVE-2021-30858 |
| 2021-08-24 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 14.8 and iPadOS 14.8 | Vendor Advisory |
| Citizen Lab — FORCEDENTRY: NSO Group iMessage Zero-Click Exploit | Security Research |
| NVD — CVE-2021-30869 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |