CVE-2021-30807

From The Apple Wiki

On 26 July 2021 (2021-07-26), Apple released iOS 14.7.1 with a fix for CVE-2021-30807, a vulnerability in IOMobileFrameBuffer which allows kernel code execution, and has been exploited in the wild according to Apple. Note that is is not the same as CVE-2021-30883 which was fixed in 15.0.2.

binaryboy published a quick crash PoC on Twitter.

Saar Amar later wrote a blog post and PoC for this vulnerability (like binaryboy's, this PoC just panics the kernel). He had independently discovered the bug earlier, but he didn't report it or publish it because he didn't have a good exploit yet, and then Apple fixed it.

On 28 November 2021 (2021-11-28), Justin Sherman released a more comprehensive writeup and exploit which actually achieves kernel read/write primitives.

Calling the vulnerable method requires the com.apple.private.allow-explicit-graphics-priority entitlement, so it's not reachable from the normal app sandbox, but it is reachable from the WebContent process, so it could be chained with a WebKit exploit.