The bug could be exploited to execute arbitrary code with kernel privileges on vulnerable devices, warns Apple’s advisory.
Reported by an anonymous researcher, the vulnerability affected virtually all Apple-ware including Macs, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation).
Tracked as CVE-2021-30807, Apple describes the vulnerability as a memory corruption issue in the IOMobileFramebuffer kernel extension.
Apple acknowledged reports that the bug “may have been actively exploited,” but didn’t share any further details about the exploitation.
Meanwhile, The Record has spotted a proof-of-concept exploit posted by a security researcher that takes advantage of the CVE-2021-30807 vulnerability, while another has published a detailed analysis claiming to have found the bug independently.
Notably, CVE-2021-30807 is the 13th zero-day vulnerability that Apple has had to patch this year alone. While a majority of the earlier zero-days impacted iOS and iPadOS, a couple also troubled macOS users as well.
In any case, Apple urges its users to update to the updated iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1 versions it has released to address the CVE-2021-30807 vulnerability.