Apple developers have released patches for iOS, iPadOS and macOS that address a zero-day vulnerability that the company says is already being exploited for attacks. The company has not yet disclosed any details about these attacks.
The issue was discovered by an anonymous researcher, identified as CVE-2021-30807, and is related to the IOMobileFramebuffer kernel extension, which allows developers to control how device memory interacts with the framebuffer. According to the developers, CVE-2021-30807 can be used to execute arbitrary code with kernel privileges on a vulnerable device.
The vulnerability is known to affect all Macs, iPhone 6s and later, all iPad Pros, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
The cybersecurity researcher has already posted a PoC exploit for this problem on Twitter, and another researcher claims to have recently discovered the same error independently of Apple and released a detailed description of the problem, which he said he was just preparing to report to the manufacturer.
Apple recommends that users update to macOS Big Sur 11.5.1, iOS 14.7.1, and iPadOS 14.7.1 as soon as possible, which were released to address the vulnerability.
CVE-2021-30807 is the thirteenth 0-day vulnerability patched by Apple in 2021.