About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
iOS 14.5 and iPadOS 14.5
Released April 26, 2021
Accessibility
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to access notes from the lock screen
Description: This issue was addressed with improved checks.
CVE-2021-1835: videosdebarraquito
App Store
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An attacker in a privileged network position may be able to alter network traffic
Description: A certificate validation issue was addressed.
CVE-2021-1837: Aapo Oksman of Nixu Cybersecurity
Apple Neural Engine
Available for: iPhone 8 and later, iPad Pro (3rd generation) and later, and iPad Air (3rd generation) and later
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1867: Zuozhi Fan (@pattern_F_) and Wish Wu (吴潍浠) of Ant Group Tianqiong Security Lab
AppleMobileFileIntegrity
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to bypass Privacy preferences
Description: An issue in code signature validation was addressed with improved checks.
CVE-2021-1849: Siguza
Assets
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to create or modify privileged files
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1836: an anonymous researcher
Audio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to read restricted memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1808: JunDong Xie of Ant Security Light-Year Lab
CFNetwork
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2021-1857: an anonymous researcher
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted audio file may disclose restricted memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1846: JunDong Xie of Ant Security Light-Year Lab
CoreAudio
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to read restricted memory
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1809: JunDong Xie of Ant Security Light-Year Lab
CoreFoundation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to leak sensitive user information
Description: A validation issue was addressed with improved logic.
CVE-2021-30659: Thijs Alkemade of Computest
CoreText
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted font may result in the disclosure of process memory
Description: A logic issue was addressed with improved state management.
CVE-2021-1811: Xingwei Lin of Ant Security Light-Year Lab
FaceTime
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Muting a CallKit call while ringing may not result in mute being enabled
Description: A logic issue was addressed with improved state management.
CVE-2021-1872: Siraj Zaneer of Facebook
FontParser
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1881: an anonymous researcher, Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin of Trend Micro, and Hou JingYi (@hjy79425575) of Qihoo 360
Foundation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved validation.
CVE-2021-1882: Gabe Kirkpatrick (@gabe_k)
Foundation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to gain root privileges
Description: A validation issue was addressed with improved logic.
CVE-2021-1813: Cees Elzinga
GPU Drivers
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to determine kernel memory layout
Description: An access issue was addressed with improved memory management.
CVE-2021-30656: Justin Sherman of University of Maryland, Baltimore County
Heimdal
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted server messages may lead to heap corruption
Description: This issue was addressed with improved checks.
CVE-2021-1883: Gabe Kirkpatrick (@gabe_k)
Heimdal
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A remote attacker may be able to cause a denial of service
Description: A race condition was addressed with improved locking.
CVE-2021-1884: Gabe Kirkpatrick (@gabe_k)
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-1885: CFF of Topsec Alpha Team
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30653: Ye Zhang of Baidu Security
CVE-2021-1843: Ye Zhang of Baidu Security
ImageIO
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2021-1858: Mickey Jin of Trend Micro
iTunes Store
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An attacker with JavaScript execution may be able to execute arbitrary code
Description: A use after free issue was addressed with improved memory management.
CVE-2021-1864: CodeColorist of Ant-Financial LightYear Labs
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to read kernel memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2021-1877: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
CVE-2021-1852: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
CVE-2021-1830: Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-1874: Zuozhi Fan (@pattern_F_) of Ant Group Tianqiong Security Lab
CVE-2021-1851: @0xalsr
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to disclose kernel memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2021-1860: @0xalsr
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2021-1816: Tielei Wang of Pangu Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Copied files may not have the expected file permissions
Description: The issue was addressed with improved permissions logic.
CVE-2021-1832: an anonymous researcher
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to disclose kernel memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2021-30660: Alex Plaskett
libxpc
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to gain root privileges
Description: A race condition was addressed with additional validation.
CVE-2021-30652: James Hutchins
libxslt
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted file may lead to heap corruption
Description: A double free issue was addressed with improved memory management.
CVE-2021-1875: Found by OSS-Fuzz
MobileInstallation
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1822: Bruno Virlet of The Grizzly Labs
Password Manager
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user's password may be visible on screen
Description: An issue obscuring passwords in screenshots was addressed with improved logic.
CVE-2021-1865: Shibin B Shaji of UST
Preferences
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to modify protected parts of the file system
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2021-1815: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1739: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
CVE-2021-1740: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)
Safari
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to write arbitrary files
Description: A validation issue was addressed with improved input sanitization.
CVE-2021-1807: David Schütz (@xdavidhu)
Shortcuts
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may allow shortcuts to access restricted files
Description: The issue was addressed with improved permissions logic.
CVE-2021-1831: Bouke van der Bijl
Tailspin
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local attacker may be able to elevate their privileges
Description: A logic issue was addressed with improved state management.
CVE-2021-1868: Tim Michaud of Zoom Communications
Telephony
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A legacy cellular network can automatically answer an incoming call when an ongoing call ends or drops.
Description: A call termination issue with was addressed with improved logic.
CVE-2021-1854: Steven Thorne of Cspire
Wallet
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A local user may be able to view sensitive information in the app switcher
Description: The issue was addressed with improved UI handling.
CVE-2021-1848: Bradley D’Amato of ActionIQ
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to a cross site scripting attack
Description: An input validation issue was addressed with improved input validation.
CVE-2021-1825: Alex Camboe of Aon’s Cyber Solutions
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved state management.
CVE-2021-1817: an anonymous researcher
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1826: an anonymous researcher
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2021-1820: an anonymous researcher
WebKit Storage
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30661: yangkang(@dnpushme) of 360 ATA
WebRTC
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2020-7463: Megan2013678