A vulnerability was found in Apple tvOS up to 14.5 (Digital Media Player). It has been rated as critical. Affected by this issue is some unknown functionality of the component WebKit. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability.

The weakness was presented 05/24/2021 by yangkang as HT212532 as confirmed advisory (Website). The advisory is shared for download at support.apple.com. This vulnerability is handled as CVE-2021-30665. Successful exploitation requires user interaction by the victim. Technical details are unknown but an exploit is available. The advisory points out:

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

It is declared as highly functional. This issue was added on 11/03/2021 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 11/17/2021:

Apply updates per vendor instructions.

Upgrading to version 14.6 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:

A memory corruption issue was addressed with improved state management.

Productinfo

Type

• Digital Media Player

Vendor

• Apple

Name

• tvOS

Version

• 14.0
• 14.1
• 14.2
• 14.3
• 14.4
• 14.5

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion