CVE-2021-30941: 
macOS vulnerability analysis and mitigation

CVE-2021-30941 is a buffer overflow vulnerability discovered in Apple's Model I/O component that was fixed in December 2021. The vulnerability affects multiple Apple operating systems including macOS Monterey 12.1, iOS 15.2 and iPadOS 15.2, macOS Big Sur 11.6.2, and Security Update 2021-008 Catalina. When processing a maliciously crafted USD file, this vulnerability could lead to the disclosure of memory contents (Apple Support HT212976, Apple Support HT212978).

The vulnerability is classified as a buffer overflow issue (CWE-120) that was addressed with improved memory handling. According to the National Vulnerability Database, it received a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access and user interaction to exploit, but could lead to high confidentiality impact (NVD).

The primary impact of this vulnerability is the potential disclosure of memory contents when processing a maliciously crafted USD file. This could lead to unauthorized access to sensitive information stored in memory (Apple Support HT212976).

Apple addressed this vulnerability by implementing improved memory handling in security updates released on December 13, 2021. The fix was included in macOS Monterey 12.1, iOS 15.2 and iPadOS 15.2, macOS Big Sur 11.6.2, and Security Update 2021-008 Catalina. Users are advised to update their systems to these versions or later to mitigate the vulnerability (Apple Support HT212976, Apple Support HT212978).

The vulnerability was discovered and reported by Rui Yang and Xingwei Lin of Ant Security Light-Year Lab, demonstrating ongoing security research efforts in identifying potential threats to Apple's systems (Apple Support HT212976).