{
	"id": "da959efa-d362-44ae-bca8-0fecd466e7b1",
	"created_at": "2026-04-06T00:19:08.712991Z",
	"updated_at": "2026-04-10T03:23:51.290268Z",
	"deleted_at": null,
	"sha1_hash": "62af4b67b6ec35c662628fd75b96d56661f31126",
	"title": "CVE-2021-30724: CVMServer Vulnerability in macOS and iOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1477089,
	"plain_text": "CVE-2021-30724: CVMServer Vulnerability in macOS and iOS\r\nBy By: Mickey Jin Jun 03, 2021 Read time: 4 min (1133 words)\r\nPublished: 2021-06-03 · Archived: 2026-04-05 15:50:41 UTC\r\nWe discovered a vulnerability in macOS rooted in the Core Virtual Machine Server (CVMServer). The\r\nvulnerability, labeled CVE-2021-30724open on a new tab, is triggered by an integer overflow leading to an out-of-bounds memory access, from which point privilege escalation can be attained. It affects devices running older\r\nversions of macOS Big Sur 11.4, iOS 14.6, and iPadOS 14.6.\r\nThis issue has already been fixed by Apple at the time of writing. This blog entry details where we discovered the\r\nvulnerability and how it can be triggered.\r\nThe CVMServer\r\nThe CVMServer is an XPC serviceopen on a new tab and is a system daemon that runs in root to handle XPC\r\nrequests. XPC is a framework implemented by Apple and is a low-level communication mechanism between\r\ndifferent processes. Client processes send XPC request messages through an XPC-related API. Then the server\r\nwill receive the message and handle it.  One of its most frequently used clients are written in the OpenCL\r\nframework. The main logic it uses is a big switch case to dispatch many kinds of XPC messages. Figure 1 shows\r\nan example of the CVMServer’s switch case logic.\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 1 of 7\n\nFigure 1. Switch case logic of the CVMServer dispatching many kinds of XPC messages\r\nThe vulnerability\r\nThe issue exists in the XPC request message handler, more specifically in the processing of a request (case\r\nmsgType=18) to build an element using the OpenCL source code.\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 2 of 7\n\nFigure 2. Case 18 logic of the CVMServer logic where the vulnerability exists\r\nFigure 2 shows the logic in which the vulnerability exists. As shown in the image, item[3*count] is the mapped\r\nlength, returned from xpc_shmem_map (seen in line 134). Meanwhile, beginOffset is controllable from the XPC\r\nrequest message (seen in line 135). If the value of item[3*count] is less than that of beginOffset, then according to\r\nthe logic, the value of remainLen will be an integer overflow. This will lead to the check in line 144 being\r\nbypassed. Therefore, the vulnerability can be triggered by specifying item[count]=accessDataLen to a large\r\ninteger (seen from line 136 to 137), which will lead to out of bounds memory access and potential privilege\r\nescalation if exploited.\r\nTriggering the vulnerability\r\nFigure 1 also shows that the flag context-\u003eattached is set inside case 4. This means to send the request (case\r\nmsgType=18), the CVMS service must be attached and XPC request msgType=4 is sent. In turn, to send the XPC\r\nrequests to the service, a connection must first be established. By searching cross-references to the API call\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 3 of 7\n\n_xpc_connection_create_mach_service we were able to get the service name “com.apple.cvmsServ,” and thus\r\nestablish a connection.\r\nint64_t cvms_connection_create(xpc_connection_t *conn) {\r\nint64_t error = 528;\r\nxpc_connection_t client = xpc_connection_create_mach_service(\"com.apple.cvmsServ\", NULL, 2);\r\nxpc_connection_set_event_handler(client, ^(xpc_object_t event) {});\r\nxpc_connection_resume(client);\r\nxpc_object_t req = xpc_dictionary_create(NULL, NULL, 0);\r\nxpc_dictionary_set_int64 (req, \"message\", 1);\r\nxpc_object_t res = xpc_connection_send_message_with_reply_sync(client, req);\r\nprintf(\"response: %s\\n\", xpc_copy_description(res));\r\nif (xpc_get_type(res) == XPC_TYPE_DICTIONARY) {\r\nerror = xpc_dictionary_get_int64(res, \"error\");\r\nif (!error) {\r\n*conn = client;\r\n}\r\n}\r\nreturn error;\r\n}\r\nAfter doing so, we attached the service, with the arguments fetched through debugging.\r\nint64_t cvms_service_attach(xpc_connection_t conn) {\r\nint64_t error = 528;\r\nxpc_object_t req = xpc_dictionary_create(NULL, NULL, 0);\r\nxpc_dictionary_set_int64 (req, \"message\", 4);\r\nxpc_dictionary_set_string(req, \"framework_name\", \"OpenCL\");\r\nxpc_dictionary_set_string(req, \"bitcode_name\", \"\");\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 4 of 7\n\nxpc_dictionary_set_string(req, \"plugin_name\",\r\n\"/System/Library/Frameworks/OpenGL.framework/Libraries/libGLVMPlugin.dylib\");\r\nstruct AttachArgs {\r\nint64_t a1;\r\nint64_t a2;\r\n} args = {0, 0x0000211000000009};//M1 Mac use 0x000021100000000a\r\nxpc_dictionary_set_data(req, \"args\", \u0026args, sizeof(args));\r\nxpc_object_t res = xpc_connection_send_message_with_reply_sync(conn, req);\r\nprintf(\"response: %s\\n\", xpc_copy_description(res));\r\nif (xpc_get_type(res) == XPC_TYPE_DICTIONARY) {\r\nerror = xpc_dictionary_get_int64(res, \"error\");\r\nif (!error) {\r\nint64_t pool_index = xpc_dictionary_get_int64(res, \"pool_index\");\r\nprintf(\"pool_index: %lld\\n\", pool_index);\r\n}\r\n}\r\nreturn error;\r\n}\r\nAfter attaching the CVMS service and sending XPC request msgType=4 we can now send the request (case\r\nmsgType=18) where the vulnerability is found. To better understand how this vulnerability is triggered, we explain\r\nthe XPC message structure shown in Figure 2.\r\nFrom line 97 to 105, we can see that request[“source”] is an XPC array, which stores the list of source code data.\r\nAt line 108, 32 bytes (4 pointer size) is allocated for each array item.\r\nFigure 3. Layout of decompiled source_data_array\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 5 of 7\n\nThe do-while loop from line 111 to 156 fills the array item with each data source value. The type of the data\r\nsource value is either xpc_type_data or xpc_type_shmem. The logic here states that the address range\r\n[accessBeginPointer, accessBeginPointer+accessDataLength) must be a subset of the range\r\n[mappedBaseAddress, mappedBaseAddress+mappedLength). The logic, therefore, checks if the value of\r\naccessDataLength is less than that of the mappedLength minus the beginOffset value. This check must be\r\nbypassed to trigger the vulnerability. Luckily for this analysis, all these values are controlled from the XPC\r\nrequest messages.\r\nAt line 138, there is a check for the beginOffset value where it must be less than one page or 4K in size. However,\r\nmappedLength returned from xpc_shmem_map is always set to the 4K size. This makes it seem hard to trigger the\r\nvulnerability. But examining the implementation of the function xpc_shmem_map revealed the trick — patching\r\nthe mappedLength to any small value, which in our case was one, at the field offset 0x20 of the xpc_xshmem\r\nobject.\r\nWith this method, we were able to bypass the check on line 144 through integer overflow, and then trigger a\r\nmemory access out-of-memory by a specified large number. The trigger code could look something like the one\r\nshown in Figure 5. The full POC can be found in GitHubopen on a new tab.\r\nFigure 4. MappedLength can be patched to a small value at the field offset 0x20\r\nFigure 5. Code showing the mapped length patched to one to bypass the check in the server.\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 6 of 7\n\nThe implemented fix\r\nApple has already made a fix for CVE-2021-30724. The solution was simple: Add a check to avoid the integer\r\noverflow (line 178 in Figure 6). As an aside, we found that the binary CVMCompiler has the same issue, which\r\nhas also been fixed using this method used for CVE-2021-30724.\r\nFigure 6. Code showing the solution for CVE-2021-30724 at line 178\r\nWhile this solution works for similar cases, another perhaps more comprehensive tactic would be to put a check\r\ninside the API implementation xpc_shmem_map, as this is the root cause of the vulnerability. It is possible to grep\r\nthe xpc_shmem_map API call from all system native Mach-O to hunt similar issues. In fact, this was the method\r\nwe used to discover the same problem in CVMCompiler.\r\nSecurity recommendations \r\nThe vulnerability is moderately difficult to trigger, but not impossible, as we had demonstrated here. If CVE-2021-30724 is left unpatched, an attacker can elevate his privileges by exploiting the vulnerability. Users should\r\nkeep their devices up-to-date to receive the latest patches. Apple has released the security updates that address this\r\nissue, which are macOS Big Sur 11.4open on a new tab, iOS 14.6, and iPadOS 14.6open on a new tab. Users can\r\nalso consider solutions such as the Trend Micro Antivirus for Macproducts and Trend Micro Protection\r\nSuitesproducts that help detect and block attacks that exploit such flaws.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nhttps://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/f/CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html"
	],
	"report_names": [
		"CVE-2021-30724_CVMServer_Vulnerability_in_macOS_and_iOS.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434748,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62af4b67b6ec35c662628fd75b96d56661f31126.pdf",
		"text": "https://archive.orkl.eu/62af4b67b6ec35c662628fd75b96d56661f31126.txt",
		"img": "https://archive.orkl.eu/62af4b67b6ec35c662628fd75b96d56661f31126.jpg"
	}
}