Login Sign Up

CVE-2021-30860

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows arbitrary code execution when processing malicious PDF files due to an integer overflow in Apple's PDF processing components. It affects multiple Apple operating systems and has been actively exploited in the wild. Users who open untrusted PDF files on vulnerable systems are at risk.

💻 Affected Systems

Products:
  • iOS
  • iPadOS
  • macOS
  • watchOS
Versions: Versions prior to Security Update 2021-005 Catalina, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2
Operating Systems: iOS, iPadOS, macOS, watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. PDF processing is built into the operating systems and cannot be disabled without breaking functionality.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Poppler by Freedesktop

View all CVEs affecting Poppler →

Watchos by Apple

View all CVEs affecting Watchos →

Xpdf by Xpdfreader

View all CVEs affecting Xpdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the device, allowing data theft, persistence installation, and lateral movement.

🟠

Likely Case

Malicious PDFs delivered via phishing or compromised websites execute arbitrary code, leading to data exfiltration, ransomware deployment, or credential theft.

🟢

If Mitigated

With proper patching and security controls, impact is limited to isolated incidents with minimal data exposure.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Apple confirmed active exploitation. Exploit requires user interaction to open malicious PDF but no authentication. Multiple public disclosures contain technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security Update 2021-005 Catalina, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2

Vendor Advisory: https://support.apple.com/en-us/HT212804

Restart Required: Yes

Instructions:

1. Open System Preferences > Software Update on macOS. 2. Open Settings > General > Software Update on iOS/iPadOS. 3. Open Watch app > General > Software Update on watchOS. 4. Install all available updates. 5. Restart device when prompted.

🔧 Temporary Workarounds

Disable PDF Preview

all

Prevent automatic PDF rendering in browsers and email clients

Browser-specific: Disable PDF preview in Chrome/Firefox/Safari settings
Email clients: Disable automatic image/attachment loading

Application Sandboxing

macOS

Use sandboxed PDF viewers that limit system access

Use third-party PDF viewers with sandboxing enabled
Configure macOS Gatekeeper to restrict unsigned applications

🧯 If You Can't Patch

  • Block PDF files at network perimeter using content filtering
  • Implement application allowlisting to prevent unauthorized PDF viewers

🔍 How to Verify

Check if Vulnerable:

Check OS version: macOS: About This Mac > Overview; iOS/iPadOS: Settings > General > About; watchOS: Watch app > General > About

Check Version:

macOS: sw_vers -productVersion; iOS/iPadOS: Settings > General > About > Version; watchOS: Watch app > General > About > Version

Verify Fix Applied:

Verify installed version matches or exceeds patched versions listed in fix_official.patch_version

📡 Detection & Monitoring

Log Indicators:

  • Unexpected PDF processing crashes in system logs
  • Suspicious PDF file access from untrusted sources
  • Unusual process spawning from PDF-related applications

Network Indicators:

  • PDF downloads from suspicious domains
  • Unusual outbound connections after PDF file access

SIEM Query:

source="*system.log*" AND "PDF" AND ("crash" OR "exception") OR process_name="Preview" AND parent_process NOT IN ("Finder", "Mail")

📊 Metadata

CVE ID: CVE-2021-30860
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: August 24, 2021
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30860, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)