This document describes the security content of macOS Monterey 12.0.1.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released October 25, 2021
AppKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to elevate privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-30873: Thijs Alkemade of Computest
AppleScript
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30876: Jeremy Brown, hjy79425575
CVE-2021-30879: Jeremy Brown, hjy79425575
CVE-2021-30877: Jeremy Brown
CVE-2021-30880: Jeremy Brown
App Store
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to access local users' Apple IDs
Description: An access issue was addressed with improved access restrictions.
CVE-2021-30994: Sergii Kryvoblotskyi of MacPaw Inc.
Entry added May 25, 2022
Audio
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to elevate privileges
Description: An integer overflow was addressed through improved input validation.
CVE-2021-30907: Zweig of Kunlun Lab
Bluetooth
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed with improved state handling.
CVE-2021-30899: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America
Bluetooth
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to disclose kernel memory
Description: A logic issue was addressed with improved validation.
CVE-2021-30931: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America
Entry added November 18, 2021
bootp
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A device may be passively tracked by its WiFi MAC address
Description: A user privacy issue was addressed by removing the broadcast MAC address.
CVE-2021-30866: Fabien Duchêne of UCLouvain (Belgium)
Entry added November 18, 2021
ColorSync
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.
CVE-2021-30917: Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero
Continuity Camera
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An uncontrolled format string issue was addressed with improved input validation.
CVE-2021-30903: an anonymous researcher
Entry updated May 25, 2022
CoreAudio
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may disclose user information
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30905: Mickey Jin (@patch1t) of Trend Micro
CoreGraphics
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution
Description: An out-of-bounds write was addressed with improved input validation.
CVE-2021-30919
Directory Utility
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to access local users' Apple IDs
Description: A logic issue was addressed with improved state management.
CVE-2020-9846: Wojciech Reguła (@_r3ggi)
Entry added March 31, 2022
FileProvider
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution
Description: An input validation issue was addressed with improved memory handling.
CVE-2021-30881: Simon Huang (@HuangShaomang) and pjf of IceSword Lab of Qihoo 360
File System
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2021-30923: Pan ZhenPeng (@Peterpan0927) of Alibaba Security
Entry added November 18, 2021
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-30831: Xingwei Lin of Ant Security Light-Year Lab
Entry added November 18, 2021
FontParser
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted dfont file may lead to arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30840: Xingwei Lin of Ant Security Light-Year Lab
Entry added November 18, 2021
Foundation
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2021-30852: Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab
Entry added November 18, 2021
Game Center
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to access information about a user's contacts
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30895: Denis Tokarev
Game Center
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to read user's gameplay data
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30896: Denis Tokarev
Graphics Drivers
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed with improved state handling.
CVE-2021-30933: Jack Dates of RET2 Systems, Inc.
Entry added March 31, 2022
iCloud
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed with improved checks.
CVE-2021-30906: Cees Elzinga
iCloud Photo Library
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to access photo metadata without needing permission to access photos
Description: The issue was addressed with improved authentication.
CVE-2021-30867: Csaba Fitzl (@theevilbit) of Offensive Security
Entry added November 18, 2021
ImageIO
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2021-30814: hjy79425575
Entry added November 18, 2021
Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.
CVE-2021-30922: Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1)
Entry added March 31, 2022
Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
CVE-2021-30824: Antonio Zekic (@antoniozekic) of Diverto
Intel Graphics Driver
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple out-of-bounds write issues were addressed with improved bounds checking.
CVE-2021-30901: Zuozhi Fan (@pattern_F_) of Ant Security TianQiong Lab, Yinyi Wu (@3ndy1) of Ant Security Light-Year Lab, Jack Dates of RET2 Systems, Inc.
IOGraphics
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30821: Tim Michaud (@TimGMichaud) of Zoom Video Communications
IOMobileFrameBuffer
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30883: an anonymous researcher
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A remote attacker can cause a device to unexpectedly restart
Description: A denial of service issue was addressed with improved state handling.
CVE-2021-30924: Elaman Iskakov (@darling_x0r) of Effective and Alexey Katkov (@watman27)
Entry added November 18, 2021
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30886: @0xalsr
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30909: Zweig of Kunlun Lab
Kernel
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30916: Zweig of Kunlun Lab
LaunchServices
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A sandboxed process may be able to circumvent sandbox restrictions
Description: A logic issue was addressed with improved state management.
CVE-2021-30864: Ron Hass (@ronhass7) of Perception Point
Login Window
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A person with access to a host Mac may be able to bypass the Login Window in Remote Desktop for a locked instance of macOS
Description: A logic issue was addressed with improved checks.
CVE-2021-30813: Benjamin Berger of BBetterTech LLC, Peter Goedtkindt of Informatique-MTF S.A., an anonymous researcher
Entry updated May 25, 2022
Managed Configuration
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A user in a privileged network position may be able to leak sensitive user information
Description: A logic issue was addressed with improved state management.
CVE-2021-31011: Michal Moravec of Logicworks, s.r.o.
Entry added September 16, 2022
Messages
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A user's messages may continue to sync after the user has signed out of iMessage
Description: A sync issue was addressed with improved state validation.
CVE-2021-30904: Reed Meseck of IBM
Entry added November 18, 2021
Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted file may disclose user information
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30910: Mickey Jin (@patch1t) of Trend Micro
Model I/O
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted USD file may disclose memory contents
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30911: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab
NetworkExtension
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A VPN configuration may be installed by an app without user permission
Description: An authorization issue was addressed with improved state management.
CVE-2021-30874: Javier Vieira Boccardo (linkedin.com/javier-vieira-boccardo)
Entry added November 18, 2021
Sandbox
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to modify protected parts of the file system
Description: This issue was addressed with improved checks.
CVE-2021-30808: Csaba Fitzl (@theevilbit) of Offensive Security
Entry added November 18, 2021
Sandbox
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A local attacker may be able to read sensitive information
Description: A permissions issue was addressed with improved validation.
CVE-2021-30920: Csaba Fitzl (@theevilbit) of Offensive Security
Security
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with improved locking.
CVE-2021-31004: Csaba Fitzl (@theevilbit) of Offensive Security
Entry added March 31, 2022
SMB
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-31002: Peter Nguyễn Vũ Hoàng of STAR Labs
Entry added September 16, 2022
SMB
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A race condition was addressed with improved locking.
CVE-2021-30868: Peter Nguyen Vu Hoang of STAR Labs
SoftwareUpdate
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may gain access to a user's Keychain items
Description: The issue was addressed with improved permissions logic.
CVE-2021-30912: Kirin (@Pwnrin) and chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab
SoftwareUpdate
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An unprivileged application may be able to edit NVRAM variables
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30913: Kirin (@Pwnrin) and chenyuwang (@mzzzz__) of Tencent Security Xuanwu Lab
Entry updated May 25, 2022
UIKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A person with physical access to a device may be determine characteristics of a user's password in a secure text entry field
Description: A logic issue was addressed with improved state management.
CVE-2021-30915: Kostas Angelopoulos
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Turning off "Block all remote content" may not apply to all remote content types
Description: A logic issue was addressed with improved state management.
CVE-2021-31005: Jonathan Austin of Wells Fargo, Attila Soki
Entry added March 31, 2022
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to code execution
Description: A type confusion issue was addressed with improved memory handling.
CVE-2021-31008
Entry added March 31, 2022
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious website may exfiltrate data cross-origin
Description: An issue existed in the specification for the resource timing API. The specification was updated and the updated specification was implemented.
CVE-2021-30897: an anonymous researcher
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Visiting a maliciously crafted website may reveal a user's browsing history
Description: The issue was resolved with additional restrictions on CSS compositing.
CVE-2021-30884: an anonymous researcher
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved state handling.
CVE-2021-30818: Amar Menezes (@amarekano) of Zon8Research
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-30836: Peter Nguyen Vu Hoang of STAR Labs
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30846: Sergei Glazunov of Google Project Zero
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2021-30849: Sergei Glazunov of Google Project Zero
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to code execution
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2021-30848: Sergei Glazunov of Google Project Zero
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to code execution
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2021-30851: Samuel Groß of Google Project Zero
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30809: an anonymous researcher
Entry added November 18, 2021
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An attacker in a privileged network position may be able to bypass HSTS
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30823: David Gullasch of Recurity Labs
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy
Description: A logic issue was addressed with improved restrictions.
CVE-2021-30887: Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd.
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious website using Content Security Policy reports may be able to leak information via redirect behavior
Description: An information leakage issue was addressed.
CVE-2021-30888: Prakash (@1lastBr3ath)
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2021-30889: Chijin Zhou of ShuiMuYuLin Ltd and Tsinghua wingtecher lab
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may bypass Gatekeeper checks
Description: A logic issue was addressed with improved state management.
CVE-2021-30861: Wojciech Reguła (@_r3ggi), Ryan Pickren (ryanpickren.com)
WebKit
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved state management.
CVE-2021-30890: an anonymous researcher
WebRTC
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: An attacker may be able to track users through their IP address
Description: A logic issue was addressed with improved state management.
CVE-2021-30930: Oguz Kırat, Matthias Keller (m-keller.com)
Entry added November 18, 2021, updated September 16, 2022
Windows Server
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen
Description: An authentication issue was addressed with improved state management.
CVE-2021-30908: ASentientBot
xar
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: Unpacking a maliciously crafted archive may allow an attacker to write arbitrary files
Description: This issue was addressed with improved checks.
CVE-2021-30833: Richard Warren of NCC Group
zsh
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to modify protected parts of the file system
Description: An inherited permissions issue was addressed with additional restrictions.
CVE-2021-30892: Jonathan Bar Or of Microsoft
APFS
We would like to acknowledge Koh M. Nakagawa of FFRI Security, Inc. for their assistance.
AppleScript
We would like to acknowledge Jeremy Brown for their assistance.
Entry added March 31, 2022
App Support
We would like to acknowledge an anonymous researcher, 漂亮鼠 of 赛博回忆录 for their assistance.
Bluetooth
We would like to acknowledge say2 of ENKI for their assistance.
bootp
We would like to acknowledge Alexander Burke (alexburke.ca) for their assistance.
Entry added March 31, 2022
CUPS
We would like to acknowledge Nathan Nye of WhiteBeam Security for their assistance.
Entry updated March 31, 2022
iCloud
We would like to acknowledge Ryan Pickren (ryanpickren.com) for their assistance.
Kernel
We would like to acknowledge Anthony Steinhauser of Google's Safeside project, and Joshua Baums of Informatik Baums for their assistance.
Entry updated November 18, 2021
We would like to acknowledge Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences for their assistance.
Managed Configuration
We would like to acknowledge Michal Moravec of Logicworks, s.r.o. for their assistance.
Setup Assistant
We would like to acknowledge David Schütz (@xdavidhu) for their assistance.
Entry added November 18, 2021
smbx
We would like to acknowledge Zhongcheng Li (CK01) for their assistance.
UIKit
We would like to acknowledge Jason Rendel of Diligent for their assistance.
Entry added November 18, 2021
WebKit
We would like to acknowledge Ivan Fratric of Google Project Zero, Pavel Gromadchuk, Nikhil Mittal (@c0d3G33k), and Matthias Keller (m-keller.com) for their assistance.