What is Apple WebKit?
WebKit is Apple's open-source web browser engine that powers Safari and renders web content across iOS, iPadOS, macOS, tvOS, and watchOS. On iOS and iPadOS, all browsers — Safari, Chrome, Firefox, and every other App Store browser — are required to use WebKit for rendering, making WebKit vulnerabilities universally impactful on Apple mobile platforms. WebKit processes untrusted HTML, CSS, JavaScript, and media content. Integer overflow vulnerabilities in WebKit's content processing code can corrupt memory structures and lead to arbitrary code execution in the browser renderer process, making them a foundational component of browser-based exploit chains.
Overview
CVE-2021-30952 is an integer overflow or wraparound vulnerability (CWE-190) in Apple's web content processing stack, affecting iOS, iPadOS, macOS, tvOS, and watchOS. Processing maliciously crafted web content can trigger the integer overflow, leading to arbitrary code execution. Apple patched this in the December 13, 2021 software release wave (iOS 15.2, macOS Monterey 12.1, tvOS 15.2, watchOS 8.3). CISA added the vulnerability to the KEV catalog in March 2026 — over four years after the patch — confirming that exploitation against devices running outdated Apple OS versions was observed.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| iOS before 15.2 | Yes | iOS 15.2 (December 13, 2021) |
| iPadOS before 15.2 | Yes | iPadOS 15.2 (December 13, 2021) |
| macOS Monterey before 12.1 | Yes | macOS Monterey 12.1 (December 13, 2021) |
| tvOS before 15.2 | Yes | tvOS 15.2 (December 13, 2021) |
| watchOS before 8.3 | Yes | watchOS 8.3 (December 13, 2021) |
Technical Details
- Root cause: Integer overflow or wraparound (CWE-190) in web content processing — arithmetic on a size or length value overflows, producing an incorrect result that leads to heap corruption when processing specially crafted web content
- Code execution: The memory corruption from the integer overflow is exploitable for code execution in the WebKit renderer process — typically the first stage in a browser-based exploit chain targeting Apple devices
- Attack vector: The CVSS AV:L rating reflects execution of a malicious local application; however, web-delivered exploits that trigger this via crafted web pages or iMessage link previews represent a more realistic attack scenario
- Cross-platform scope: The vulnerability affects all Apple platforms sharing the WebKit codebase — iOS, iPadOS, macOS, tvOS, and watchOS — providing broad device coverage for any exploitation campaign
- Integer overflow pattern: Apple WebKit has been a recurring source of integer overflow vulnerabilities in image/media processing and layout engine code; these are typically triggered through crafted HTML, SVG, video, or image content
Discovery
Reported to Apple and patched as part of the December 2021 software update wave. The CISA KEV addition in March 2026 — over four years after the patch — suggests this vulnerability was incorporated into exploit toolkits targeting Apple devices with delayed update adoption, consistent with commercial surveillance or cybercriminal operations against unpatched fleets.
Exploitation Context
The March 2026 CISA KEV addition for a December 2021 vulnerability highlights a recurring pattern in Apple exploit chains: vulnerabilities patched years ago continue to see exploitation against organizations and individuals who have not applied updates. This gap between patch availability and KEV addition reflects CISA's confirmation of active exploitation, not the discovery of a new vulnerability. Apple WebKit integer overflow vulnerabilities are frequently chained with kernel escalation bugs (such as IOMobileFrameBuffer or XNU type confusion vulnerabilities) to achieve complete device compromise.
Remediation
- Update iOS/iPadOS to 15.2 or later — any current iOS release contains the fix
- Update macOS to Monterey 12.1 or later
- Update tvOS to 15.2 or later and watchOS to 8.3 or later
- Enable automatic software updates across all Apple devices: Settings → General → Software Update → Automatic Updates
- For enterprise fleet management: enforce minimum OS version policies via MDM and flag devices below iOS 15.2 for immediate remediation
- Consider Lockdown Mode (iOS 16+) for high-risk users — this significantly restricts WebKit's attack surface by disabling web content features frequently exploited in browser-based attacks
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-30952 |
| Vendor / Product | Apple — Multiple Products |
| NVD Published | 2021-08-24 |
| NVD Last Modified | 2026-03-06 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-190 find similar ↗ |
| CISA KEV Added | 2026-03-05 |
| CISA KEV Deadline | 2026-03-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-12-13 | Apple releases iOS 15.2, iPadOS 15.2, macOS Monterey 12.1, tvOS 15.2, and watchOS 8.3 patching CVE-2021-30952 |
| 2021-08-24 | CVE published |
| 2026-03-05 | Added to CISA Known Exploited Vulnerabilities catalog — over four years after the patch, confirming exploitation against unpatched legacy devices |
| 2026-03-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apple Security Advisory — iOS 15.2 and iPadOS 15.2 | Vendor Advisory |
| Apple Security Advisory — macOS Monterey 12.1 | Vendor Advisory |
| Apple Security Advisory — tvOS 15.2 | Vendor Advisory |
| Apple Security Advisory — watchOS 8.3 | Vendor Advisory |
| NVD — CVE-2021-30952 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |