About the security content of iOS 14.5 and iPadOS 14.5
This document describes the security content of iOS 14.5 and iPadOS 14.5.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
iOS 14.5 and iPadOS 14.5
Accessibility
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to access notes from the lock screen
Description: This issue was addressed with improved checks.
CVE-2021-1835: videosdebarraquito
App Store
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An attacker in a privileged network position may be able to alter network traffic
Description: A certificate validation issue was addressed.
CVE-2021-1837: Aapo Oksman of Nixu Cybersecurity
Apple Neural Engine
Available for: iPhone 8 and later, iPad Pro (3rd generation) and later, and iPad Air (3rd generation) and later
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1867: Zuozhi Fan (@pattern_F_) and Wish Wu (吴潍浠) of Ant Group Tianqiong Security Lab
AppleMobileFileIntegrity
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza
Assets
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to create or modify privileged files
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1836: an anonymous researcher
Audio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to read restricted memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab
Audio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
Description: A memory consumption issue was addressed with improved memory handling.
CVE-2021-30742: Mickey Jin of Trend Micro working with Trend Micro Zero Day Initiative
CFNetwork
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2021-1857: an anonymous researcher
Compression
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-30752: Ye Zhang(@co0py_Cat) of Baidu Security
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2021-30664: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2021-30664: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1846: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to read restricted memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab
CoreFoundation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to leak sensitive user information
Description: A validation issue was addressed with improved logic.
CVE-2021-30659: Thijs Alkemade of Computest
Core Motion
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A logic issue was addressed with improved validation.
CVE-2021-1812: Siddharth Aeri (@b1n4r1b01)
CoreText
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: A logic issue was addressed with improved state management.
CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab
FaceTime
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Muting a CallKit call while ringing may not result in mute being enabled
Description: A logic issue was addressed with improved state management.
CVE-2021-1872: Siraj Zaneer of Facebook
FontParser
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1881: an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin of Trend Micro, and Hou JingYi (@hjy79425575) of Qihoo 360
Foundation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1882: Gabe Kirkpatrick (@gabe_k)
Foundation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to gain root privileges
Description: A validation issue was addressed with improved logic.
CVE-2021-1813: Cees Elzinga
GPU Drivers
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to determine kernel memory layout
Description: An access issue was addressed with improved memory management.
CVE-2021-30656: Justin Sherman of University of Maryland, Baltimore County
Heimdal
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted server messages may lead to heap corruption
Description: This issue was addressed with improved checks.
CVE-2021-1883: Gabe Kirkpatrick (@gabe_k)
Heimdal
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A remote attacker may be able to cause a denial of service
Description: A race condition was addressed with improved locking.
CVE-2021-1884: Gabe Kirkpatrick (@gabe_k)
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write was addressed with improved input validation.
CVE-2021-30743: CFF of Topsec Alpha Team, Ye Zhang(@co0py_Cat) of Baidu Security, and Jeonghoon Shin(@singi21a) of THEORI working with Trend Micro Zero Day Initiative
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1885: CFF of Topsec Alpha Team
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30653: Ye Zhang of Baidu Security
CVE-2021-1843: Ye Zhang of Baidu Security
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2021-1858: Mickey Jin of Trend Micro
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30764: Anonymous working with Trend Micro Zero Day Initiative
CVE-2021-30662: Anonymous working with Trend Micro Zero Day Initiative, Jzhu working with Trend Micro Zero Day Initiative
iTunes Store
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An attacker with JavaScript execution may be able to execute arbitrary code
Description: A use after free issue was addressed with improved memory management.
CVE-2021-1864: CodeColorist of Ant-Financial LightYear Labs
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1877: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
CVE-2021-1852: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
CVE-2021-1830: Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-1874: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
CVE-2021-1851: @0xalsr
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to disclose kernel memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2021-1860: @0xalsr
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2021-1816: Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Copied files may not have the expected file permissions
Description: The issue was addressed with improved permissions logic.
CVE-2021-1832: an anonymous researcher
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to disclose kernel memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30660: Alex Plaskett
libxpc
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to gain root privileges
Description: A race condition was addressed with additional validation.
CVE-2021-30652: James Hutchins
libxslt
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted file may lead to heap corruption
Description: A double free issue was addressed with improved memory management.
CVE-2021-1875: Found by OSS-Fuzz
MobileAccessoryUpdater
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2021-1833: Cees Elzinga
MobileInstallation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1822: Bruno Virlet of The Grizzly Labs
Password Manager
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user's password may be visible onscreen
Description: An issue obscuring passwords in screenshots was addressed with improved logic.
CVE-2021-1865: Shibin B Shaji of UST
Preferences
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to modify protected parts of the file system
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2021-1815: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1740: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Quick Response
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to place phone calls to any phone number
Description: An issue existed with authenticating the action triggered by an NFC tag. The issue was addressed with improved action authentication.
CVE-2021-1863: REFHAN OZGORUR
Safari
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to write arbitrary files
Description: A validation issue was addressed with improved input sanitization.
CVE-2021-1807: David Schütz (@xdavidhu)
Shortcuts
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may allow shortcuts to access restricted files
Description: The issue was addressed with improved permissions logic.
CVE-2021-1831: Bouke van der Bijl
Siri
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An issue with Siri search access to information was addressed with improved logic
Description: A person with physical access may be able to access contacts.
CVE-2021-1862: Anshraj Srivastava (@AnshrajSrivas14) of UKEF
Tailspin
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local attacker may be able to elevate their privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-1868: Tim Michaud of Zoom Communications
TCC
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to leak sensitive user information
Description: A validation issue was addressed with improved logic.
CVE-2021-30659: Thijs Alkemade of Computest
Telephony
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A legacy cellular network can automatically answer an incoming call when an ongoing call ends or drops.
Description: A call termination issue with was addressed with improved logic.
CVE-2021-1854: Steven Thorne of Cspire
UIKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user's password may be visible onscreen
Description: A logic issue was addressed with improved state management.
CVE-2021-30921: Maximilian Blochberger of the Security in Distributed Systems Group of University of Hamburg
Wallet
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to view sensitive information in the app switcher
Description: The issue was addressed with improved UI handling.
CVE-2021-1848: Bradley D’Amato of ActionIQ
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: An input validation issue was addressed with improved input validation.
CVE-2021-1825: Alex Camboe of Aon’s Cyber Solutions
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2021-1817: zhunki
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1826: an anonymous researcher
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2021-1820: André Bargull
WebKit Storage
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30661: yangkang(@dnpushme) of 360 ATA
WebRTC
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2020-7463: Megan2013678
Wi-Fi
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A buffer overflow may result in arbitrary code execution
Description: A logic issue was addressed with improved state management.
CVE-2021-1770: Jiska Classen (@naehrdine) of Secure Mobile Networking Lab, TU Darmstadt
Additional recognition
Accounts Framework
We would like to acknowledge Ellougani Mohamed of Dr.Phones Recycle Inc. for their assistance.
AirDrop
We would like to acknowledge @maxzks for their assistance.
Assets
We would like to acknowledge Cees Elzinga for their assistance.
CoreAudio
We would like to acknowledge an anonymous researcher for their assistance.
CoreCrypto
We would like to acknowledge Andy Russon of Orange Group for their assistance.
File Bookmark
We would like to acknowledge an anonymous researcher for their assistance.
Files
We would like to acknowledge Omar Espino (omespino.com) for their assistance.
Foundation
We would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance.
Kernel
We would like to acknowledge Antonio Frighetto of Politecnico di Milano, GRIMM, Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, Haixin Duan, Mikko Kenttälä ( @Turmio_ ) of SensorFu, Proteas, Tielei Wang of Pangu Lab, and Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab for their assistance.
We would like to acknowledge Lauritz Holtmann (@_lauritz_), Muhammed Korany (facebook.com/MohamedMoustafa4), and Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
NetworkExtension
We would like to acknowledge Fabian Hartmann for their assistance.
Safari Private Browsing
We would like to acknowledge Dor Kahana and Griddaluru Veera Pranay Naidu for their assistance.
Security
We would like to acknowledge Xingwei Lin of Ant Security Light-Year Lab and john (@nyan_satan) for their assistance.
sysdiagnose
We would like to acknowledge Tim Michaud (@TimGMichaud) of Leviathan for their assistance.
WebKit
We would like to acknowledge Emilio Cobos Álvarez of Mozilla for their assistance.
WebSheet
We would like to acknowledge Patrick Clover for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.