CVE-2021-30917: 
macOS vulnerability analysis and mitigation

A memory corruption issue existed in the processing of ICC profiles in Apple's ColorSync component. This vulnerability (CVE-2021-30917) was discovered by Alexandru-Vlad Niculae and Mateusz Jurczyk of Google Project Zero and was fixed in iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1, iOS 14.8.1 and iPadOS 14.8.1, tvOS 15.1, watchOS 8.1, Security Update 2021-007 Catalina, and macOS Big Sur 11.6.1, released in October 2021 (Apple Security).

The vulnerability was caused by a memory corruption issue in the processing of ICC profiles. The issue was addressed with improved input validation. The vulnerability received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access with low attack complexity and no privileges required, but user interaction is needed (NVD).

Processing a maliciously crafted image may lead to arbitrary code execution on affected systems. This could potentially allow attackers to execute malicious code with the privileges of the user processing the image (Apple Security).

Apple addressed this vulnerability by improving input validation in the ICC profile processing. Users should update to iOS 15.1 and iPadOS 15.1, macOS Monterey 12.0.1, iOS 14.8.1 and iPadOS 14.8.1, tvOS 15.1, watchOS 8.1, Security Update 2021-007 Catalina, or macOS Big Sur 11.6.1, depending on their device (Apple Security).