CVE-2021-30900

What is Apple's GPU Driver?

Apple devices include GPU (Graphics Processing Unit) drivers that manage communication between applications and the graphics hardware. On iOS and macOS, GPU drivers are kernel-mode components — they operate at the highest privilege level to provide hardware-accelerated graphics rendering to applications. All iOS apps that use graphics (which includes most modern apps) interact with the GPU driver. As kernel-mode code that processes input from user-space applications, GPU driver vulnerabilities can be exploited by a malicious app to corrupt kernel memory and achieve kernel-level code execution — bypassing the iOS sandbox and gaining complete device control.

Overview

CVE-2021-30900 is an out-of-bounds write vulnerability (CWE-787) in Apple's GPU drivers, affecting iOS, iPadOS, and macOS. A malicious application can trigger an out-of-bounds write in the GPU driver, corrupting kernel memory and achieving code execution with kernel privileges. Apple patched this in iOS 15.1 and iPadOS 15.1 (October 25, 2021) and macOS 12.0.1 (Monterey). CISA added it to KEV in March 2023, over a year after the patch, reflecting confirmed exploitation in the wild against devices running older iOS versions. The late KEV addition suggests targeted exploitation in surveillance or cybercriminal operations against unpatched devices.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in Apple's GPU kernel driver — an application that sends specially crafted requests to the GPU driver can cause a write operation beyond an allocated kernel buffer, corrupting adjacent kernel memory
• Kernel code execution: The OOB write in a kernel driver achieves arbitrary kernel memory corruption, exploitable for kernel code execution — breaking the iOS app sandbox and achieving full device control
• Attack vector: Local (AV:L) with no privileges required (PR:N) but user interaction required (UI:R) — the malicious app runs on the device and uses the GPU driver interface accessible to all apps. The exploit is typically delivered as a second stage after a browser or iMessage exploit provides initial code execution
• GPU driver attack surface: All apps on iOS interact with GPU drivers for rendering; the GPU driver interface provides a large and complex attack surface that has been successfully exploited multiple times
• Cross-platform scope: The vulnerability affects both iOS/iPadOS (mobile) and macOS (desktop) due to shared GPU driver codebase

Discovery

Identified and reported to Apple. The March 2023 CISA KEV addition (approximately 18 months after the October 2021 patch) reflects confirmed in-the-wild exploitation in targeted attack chains — consistent with commercial spyware or advanced cybercriminal use against unpatched devices.

Exploitation Context

Apple GPU driver vulnerabilities are used as kernel escalation steps in iOS and macOS exploit chains. After achieving initial renderer code execution (via WebKit, PDF, or image processing vulnerabilities), attackers use kernel exploits like CVE-2021-30900 to break out of the sandbox and install persistent access tools. The late CISA KEV addition confirms this was being exploited well after the patch was available, targeting organizations and individuals running outdated iOS versions.

Remediation

1. Update iOS/iPadOS to 15.1 or later — any current iOS version contains the fix
2. Update macOS to Monterey 12.0.1 or later, or macOS Big Sur 11.6.1 or later
3. Enable automatic software updates: Settings → General → Software Update → Automatic Updates
4. For enterprise iOS management: enforce minimum OS version via MDM and flag devices below iOS 15.1 for immediate update
5. Consider enabling Lockdown Mode (iOS 16+) for users at highest risk of targeted surveillance