CVE-2021-30860 Overview
CVE-2021-30860, commonly known as FORCEDENTRY, is an integer overflow vulnerability in Apple's CoreGraphics framework that affects PDF processing across multiple Apple operating systems. This vulnerability allows attackers to achieve arbitrary code execution by crafting a malicious PDF document that triggers an integer overflow condition during rendering. Apple has confirmed that this vulnerability has been actively exploited in the wild, making it a critical security concern for all affected platforms.
Critical Impact
This zero-click vulnerability enables remote code execution through maliciously crafted PDF files, requiring no user interaction beyond receiving the document. It has been confirmed as actively exploited in real-world attacks and is listed in CISA's Known Exploited Vulnerabilities Catalog.
Affected Products
- Apple iOS (all versions prior to 14.8)
- Apple iPadOS (all versions prior to 14.8)
- Apple macOS Big Sur (all versions prior to 11.6)
- Apple macOS Catalina (requires Security Update 2021-005)
- Apple watchOS (all versions prior to 7.6.2)
- Xpdf Reader (affected versions)
- Freedesktop Poppler (affected versions)
Discovery Timeline
- 2021-08-24 - CVE-2021-30860 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2021-30860
Vulnerability Analysis
CVE-2021-30860 is an integer overflow vulnerability (CWE-190) that exists in Apple's CoreGraphics framework, specifically in the JBIG2 image codec used for PDF rendering. The vulnerability occurs when processing maliciously crafted JBIG2 streams embedded within PDF documents. When a specially constructed PDF triggers the integer overflow condition, it can lead to heap corruption, ultimately allowing an attacker to achieve arbitrary code execution with the privileges of the targeted application.
This vulnerability is particularly dangerous because it can be exploited as a zero-click attack vector. In documented attacks, threat actors delivered the malicious PDF via iMessage, where the image rendering service would automatically process the document without any user interaction. The exploitation chain leveraged the JBIG2 codec's Turing-complete capabilities to construct a virtual machine that could bypass Apple's security mitigations.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the JBIG2 image decoding routines in CoreGraphics. When processing certain arithmetic operations on image dimensions or buffer sizes, the code fails to properly check for integer overflow conditions. This allows an attacker to craft JBIG2 segment data that causes calculations to wrap around, resulting in undersized buffer allocations. Subsequent operations then write beyond the allocated memory boundaries, leading to heap corruption that can be leveraged for code execution.
Attack Vector
The attack vector for CVE-2021-30860 is local, requiring user interaction (such as opening a malicious PDF or receiving it via a messaging application that auto-renders content). However, the zero-click nature of exploitation via iMessage significantly lowers the barrier for successful attacks:
- The attacker crafts a malicious PDF containing specially constructed JBIG2 image data
- The PDF is delivered to the target via iMessage, email, or other delivery mechanisms
- When the device's rendering service processes the JBIG2 content, the integer overflow is triggered
- The overflow causes heap corruption through undersized buffer allocation
- The attacker's payload executes with the privileges of the rendering process
- The exploit can then escape the sandbox to gain persistent device access
The exploitation technique discovered in the wild was remarkably sophisticated, using JBIG2's logical operations to emulate a small computer architecture within the codec, demonstrating advanced adversary capabilities.
Detection Methods for CVE-2021-30860
Indicators of Compromise
- Presence of suspicious PDF files containing JBIG2 image segments with anomalous segment structures or sizes
- Unexpected crashes or memory errors in processes handling PDF rendering such as IMTranscoderAgent or mediaanalysisd
- Evidence of iMessage attachments with unusual file characteristics or from unknown senders
- System logs showing CoreGraphics-related crashes coinciding with PDF processing activities
Detection Strategies
- Monitor for unusual PDF processing activity, particularly from messaging applications like iMessage
- Deploy endpoint detection rules to identify JBIG2 streams with suspicious segment parameters within PDF documents
- Implement behavioral analysis to detect anomalous memory allocation patterns during PDF rendering
- Review crash reports for CoreGraphics or ImageIO framework failures indicating potential exploitation attempts
Monitoring Recommendations
- Enable detailed logging for PDF processing services and messaging applications on Apple devices
- Monitor MDM solutions for device crash patterns that may indicate exploitation attempts
- Implement network-level inspection for PDF attachments with anomalous JBIG2 content where possible
- Review CISA's Known Exploited Vulnerability entry for CVE-2021-30860 for updated threat intelligence
How to Mitigate CVE-2021-30860
Immediate Actions Required
- Immediately update all Apple devices to patched versions: iOS/iPadOS 14.8+, macOS Big Sur 11.6+, macOS Catalina with Security Update 2021-005, and watchOS 7.6.2+
- Review devices for signs of compromise, particularly those that may have received suspicious iMessage attachments
- Disable automatic preview of attachments in messaging applications where possible as a temporary measure
- Ensure all third-party PDF rendering libraries (Xpdf, Poppler) are updated to patched versions
- Consider blocking PDF attachments at the email gateway level for high-risk environments until patching is complete
Patch Information
Apple has released security patches addressing this vulnerability across all affected platforms. Organizations should apply the following updates immediately:
- iOS and iPadOS: Update to version 14.8 or later - Apple Security Update HT212807
- macOS Big Sur: Update to version 11.6 or later - Apple Security Update HT212804
- macOS Catalina: Apply Security Update 2021-005 - Apple Security Update HT212805
- watchOS: Update to version 7.6.2 or later - Apple Security Update HT212806
For Xpdf and Poppler users, consult the Gentoo GLSA 202209-21 and the oss-security mailing list discussion for patch guidance specific to those libraries.
Workarounds
- Disable iMessage on critical devices if immediate patching is not possible, as this was a known delivery vector
- Configure email gateways to quarantine or strip PDF attachments from unknown or untrusted senders
- Use Mobile Device Management (MDM) to restrict installation of unverified applications that may process untrusted PDFs
- Implement network segmentation to limit the impact of potential compromise on sensitive systems
# Check current iOS/iPadOS version via command line (requires MDM or Apple Configurator)
# For macOS, verify system version and installed security updates:
softwareupdate --history | grep -i "security"
sw_vers -productVersion
# Force check for available updates on macOS
softwareupdate -l
# Install all available updates on macOS
sudo softwareupdate -ia --verbose
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
