CVE-2021-1778: 
macOS vulnerability analysis and mitigation

An out-of-bounds read issue existed in the curl component of ImageIO. This vulnerability (CVE-2021-1778) was discovered and reported by Xingwei Lin of Ant Security Light-Year Lab. The issue was fixed in multiple Apple operating systems including macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4, with patches released on January 26, 2021 (Apple Security).

The vulnerability was caused by an out-of-bounds read issue in the curl functionality within the ImageIO framework. The issue was addressed by implementing improved bounds checking in the affected code. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

Processing a maliciously crafted image may lead to a denial of service condition. The vulnerability could allow an attacker to cause unexpected application termination through specially crafted image files (Apple Security).

Apple addressed this vulnerability by releasing security updates for affected operating systems. Users should update to macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 or iPadOS 14.4 or later versions (Apple Security).