CVE-2021-30934: 
Apple Safari vulnerability analysis and mitigation

CVE-2021-30934 is a buffer overflow vulnerability discovered by Dani Biro that affects multiple Apple operating systems and Safari browser. The vulnerability was fixed in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, watchOS 8.3, released in December 2021. The issue affects WebKit, Apple's web browser engine, and could allow arbitrary code execution when processing maliciously crafted web content (Apple Support, NVD).

The vulnerability is a buffer overflow issue in WebKit that was addressed with improved memory handling. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input) (NVD).

When successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system through processing maliciously crafted web content. This could potentially lead to complete system compromise with the privileges of the WebKit process (WebKitGTK Advisory).

The vulnerability has been patched in multiple Apple products: tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, watchOS 8.3. Users are advised to update to these versions or later. The fix has also been backported to other platforms, with Debian releasing fixes in version 2.34.4-1~deb10u1 for oldstable (buster) and version 2.34.4-1~deb11u1 for stable (bullseye) distributions (Debian Security Advisory).