Login Sign Up

CVE-2021-30937

7.8 HIGH

📋 TL;DR

This is a memory corruption vulnerability in Apple's XNU kernel that allows a malicious application to execute arbitrary code with kernel privileges. It affects multiple Apple operating systems including macOS, iOS, iPadOS, tvOS, and watchOS. Attackers could gain full control of affected devices.

💻 Affected Systems

Products:
  • macOS
  • iOS
  • iPadOS
  • tvOS
  • watchOS
Versions: Versions prior to macOS Big Sur 11.6.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2, iPadOS 15.2, tvOS 15.2, watchOS 8.3
Operating Systems: Apple macOS, Apple iOS, Apple iPadOS, Apple tvOS, Apple watchOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable; exploitation requires a malicious application to be installed and executed.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Tvos by Apple

View all CVEs affecting Tvos →

Watchos by Apple

View all CVEs affecting Watchos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level code execution, allowing attackers to install persistent malware, steal sensitive data, or disable security controls.

🟠

Likely Case

Malicious apps from untrusted sources exploiting the vulnerability to gain elevated privileges and perform unauthorized actions on the device.

🟢

If Mitigated

Limited impact if devices are updated to patched versions and only trusted applications are installed from official sources.

🌐 Internet-Facing: LOW, as exploitation typically requires local application execution rather than remote network access.
🏢 Internal Only: MEDIUM, as malicious applications could be installed internally, but requires user interaction or compromised app distribution.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires a malicious application to be run locally; public proof-of-concept details heap use-after-free in XNU's inm_merge function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: macOS Big Sur 11.6.2, tvOS 15.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, watchOS 8.3

Vendor Advisory: https://support.apple.com/en-us/HT212975

Restart Required: Yes

Instructions:

1. Go to System Preferences > Software Update on macOS or Settings > General > Software Update on iOS/iPadOS/tvOS/watchOS. 2. Install the available update. 3. Restart the device as prompted.

🔧 Temporary Workarounds

Restrict application installation

all

Only allow installation of applications from trusted sources like the App Store to reduce risk of malicious apps.

🧯 If You Can't Patch

  • Isolate affected devices on network segments to limit lateral movement if compromised.
  • Implement application allowlisting to prevent execution of untrusted applications.

🔍 How to Verify

Check if Vulnerable:

Check the operating system version against the affected versions listed in the Apple security advisories.

Check Version:

On macOS: 'sw_vers -productVersion'. On iOS/iPadOS: Go to Settings > General > About > Version. On tvOS: Settings > General > About > Version. On watchOS: Open Watch app on iPhone > General > About > Version.

Verify Fix Applied:

Verify that the device is running one of the patched versions specified in the fix information.

📡 Detection & Monitoring

Log Indicators:

  • Unusual kernel panic logs or crashes, unexpected privilege escalation events in system logs.

Network Indicators:

  • Unusual outbound connections from system processes post-exploitation.

SIEM Query:

Search for events indicating kernel-level anomalies or unauthorized privilege changes on Apple devices.

📊 Metadata

CVE ID: CVE-2021-30937
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: August 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30937, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)