Apple IO Mobile Frame Buffer Vulnerability

By Frank Wood on November 22, 2021

(By Frank Wood on October 22, 2021)

Executive Summary

One of the leading competitors in the mobile device industry, Apple is no stranger to zero-day vulnerabilities and releases updates to correct them before they are exploited in the wild. For example, this article addresses a similar vulnerability that was patched in September. On October 11, 2021, iPhone Operating System (iOS) 15.0.2, Apple noted that an anonymous researcher found that Apple’s previous update (iOS 15.0.1) was actively being exploited [2]. Knowing that the vulnerability has been exploited, the Cybersecurity and Infrastructure Security Agency (CISA) released a notice that all Apple product users to “apply the necessary updates as soon as possible” [3].

Limited details of the exploit were posted in Apple’s patch notes page, leaving researchers to determine the source and many are focusing on a spyware named Pegasus [4], which was first discovered in 2016. Pegasus was developed by an Israeli malware vendor called Niv, Shalev, and Omri (NSO) group. NSO group “developed, marketed and licensed” [6] the spyware to governments around the world and it is known to be “ the most powerful piece of spyware ever developed” [6]. It has the capability to conduct 24-hour surveillance, copy sent and received text messages, harvest photos, and record phone calls [6]. While there is no proof of concept (POC) that Pegasus is responsible for the attack, researchers cannot rule it out.

Shortly after Apple’s release of iOS 15.0.2, a vulnerability reverse engineer and exploit mitigator, Saar Amar published an analysis and POC of the vulnerability [4]. In his analysis, Amar states, “that the bug resides in AppleMobileDispH12P, which is accessible from AppleCLCD” driver [1] and that “there were some different instances of a size calculation without checks for integer overflow” [1]. He further explains that it is “accessible directly from the app sandbox” and that “unlike the previous in-the-wild vulnerability in (IO Mobile Frame Buffer) IOMFB/AppleCLCD, no special entitlements are required” [1].


CVE-2021-30883 – Memory Corruption at the “IOMobileFrameBuffer kernel extension, used for managing display memory. Malicious applications are said to be capable of triggering an integer overflow in the framebuffer, permitting execution of arbitrary code with kernel privileges” [4].


With 49.26 million Apple iPhones sold in the second quarter of 2021 alone, the possibility of the vulnerability being exploited is very high. If the vulnerability is exploited and the threat is in fact the Pegasus spyware, user privacy is completely eradicated. With the previous Pegasus exploit of the “WhatsApp” application, an estimated two billion users could have been affected [7].


To mitigate this vulnerability, Apple released iOS 15.0.2 on October 11, 2021 [2]. This release is available for iPhone 6s and later, all models of iPad Pros, iPad Air 2 and later, 5th generation of the iPad and later, iPad mini 4 and later, as well as the 7th generation of the iTouch [2].


[1] Amar, S. (n.d.). “Bindiff and POC for the IOMFB vulnerability, iOS 15.0.2.” Accessed October 14, 2021.

[2] Apple (October 11, 2021). “About the security content of iOS 15.0.2 and iPadOS 15.0.2.” Accessed October 14, 2021.

[3] CISA. (October 5, 2021). “Apple Releases Security Update to Address CVE-2021-30883.” Accessed October 14, 2021.

[4] Corfield, G. (October 12, 2021). “Apple patches ‘actively exploited’ iPhone zero-day with iOS 15.0.2 update.” Accessed October 14, 2021.

[5] O’Dea S. (September 10, 2021). “Apple smartphone sales to end users Q1 2016-Q1 2021.” Accessed October 14, 2021.

[6] Pegg, D. & Cutler, S. (July 18, 2021). “What is Pegasus spyware and how does it hack phones?” Accessed October 14, 2021.

[7] Williams, S. (September 6, 2021). “WhatsApp security vulnerability could have exploited two billions users.” Accessed October 14, 2021.