CVE-2021-30807

HIGH KEV

macOS Big Sur <11.5.1 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-30807 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including jsherman212, 30440r.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-30807, targeting a memory corruption vulnerability in the IOMobileFramebufferUserClient on iOS. The exploit leverages mach port manipulation and IOKit calls to achieve arbitrary kernel memory manipulation.

Description

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Exploits (3)

nomisec WORKING POC 131 stars
by jsherman212 · local
https://github.com/jsherman212/iomfb-exploit

This repository contains a functional exploit for CVE-2021-30807, targeting a memory corruption vulnerability in the IOMobileFramebufferUserClient on iOS. The exploit leverages mach port manipulation and IOKit calls to achieve arbitrary kernel memory manipulation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: iOS (IOMobileFramebufferUserClient)
No auth needed
Prerequisites: Physical or remote access to a vulnerable iOS device · Kernel memory layout knowledge or brute-forcing
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by 30440r · local
https://github.com/30440r/gex

This repository contains a functional exploit for CVE-2021-30807, targeting a memory corruption vulnerability in the IOMobileFramebufferUserClient on iOS. The exploit leverages mach port manipulation and kernel memory corruption to achieve arbitrary kernel read/write primitives.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apple iOS (IOMobileFramebufferUserClient)
No auth needed
Prerequisites: Physical or remote access to a vulnerable iOS device · Kernel memory layout knowledge (e.g., guessed addresses)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/saaramar/IOMobileFrameBuffer_LPE_POC

This repository contains a functional exploit PoC for CVE-2021-30807, an out-of-bounds read vulnerability in AppleCLCD/IOMobileFrameBuffer. The exploit demonstrates how an unchecked index in the external method 83 can lead to a kernel panic.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Apple iOS (IOMobileFrameBuffer, AppleCLCD)
No auth needed
Prerequisites: Access to the IOMobileFrameBuffer service from the app sandbox
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (4)

Core 4
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/en-us/HT212622
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/en-us/HT212623
Release Notes, Vendor Advisory x_refsource_misc
https://support.apple.com/en-us/HT212713

Scores

CVSS v3 7.8
EPSS 0.2884
EPSS Percentile 97.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-07-26
InTheWild.io 2021-07-26
ENISA EUVD EUVD-2021-17724
CWE
CWE-787
Status published
Products (4)
apple/ipados < 14.7.1
apple/iphone_os < 14.7.1
apple/macos < 11.5.1
apple/watchos < 7.6.1
Published Oct 19, 2021
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026