FORCEDENTRY zero-click RCE in Apple CoreGraphics JBIG2 parser
CVE-2021-30860 is an integer overflow vulnerability in Apple CoreGraphics, specifically in JBIG2 decoding/parsing of malicious content embedded in PDF files. Multiple supporting sources in the provided content tie the flaw to the CoreGraphics JBIG2 implementation, including the JBIG2::readTextRegionSeg path and the accumulation of referenced symbol counts into a 32-bit variable (numSyms). The overflow can lead to an undersized heap allocation followed by out-of-bounds writes during symbol pointer copying, resulting in heap corruption. In observed in-the-wild exploitation, attackers delivered a disguised PDF via iMessage using a 'fake GIF' technique so that IMTranscoderAgent processed the file outside BlastDoor protections. Citizen Lab and Project Zero associated this vulnerability with the FORCEDENTRY exploit chain used to deploy NSO Group Pegasus spyware. Apple fixed the issue in Security Update 2021-005 Catalina, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6, and watchOS 7.6.2, and stated it may have been actively exploited.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository is a sophisticated proof-of-concept exploit for the FORCEDENTRY vulnerability (CVE-2021-30860) affecting iOS 14.4 and below. The exploit targets the iMessage zero-click attack surface by generating a malicious PDF file containing a specially crafted JBIG2 stream. The Python scripts in the 'docker/libs' directory handle the construction of the exploit payload, including heap manipulation and PDF generation. The main entry point is 'docker/forcedentry', which orchestrates the exploit flow, including Frida-based instrumentation for process tracing and payload delivery. The Objective-C code in 'docker/poc-app/poc-app/clazz.m' constructs a payload chain that leverages private iOS frameworks and Objective-C runtime features to achieve code execution. The payload demonstrates its effect by launching the Calculator app on the target device, proving arbitrary code execution. The exploit requires the attacker to have network access to the device (typically via SSH and Frida port forwarding) and is designed for research and demonstration purposes. The repository includes both the exploit logic and a minimal iOS app project for payload delivery and testing. Overall, the repository demonstrates a full exploit chain from PDF generation to sandbox escape and code execution, with a focus on the iMessage attack vector and iOS platform.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-click iMessage exploit chain entry vulnerability in Apple CoreGraphics' PDF/JBIG2 parsing, used via a disguised GIF/PDF file to achieve remote exploitation on iPhones. It is significant because it was used by NSO Group's Pegasus spyware in the wild and is described as one of the most technically sophisticated exploits observed.
A zero-click iMessage vulnerability exploited via a crafted fake GIF/PDF using the CoreGraphics JBIG2 parser, enabling highly sophisticated remote exploitation on iPhones.
A zero-click integer overflow vulnerability in Apple's CoreGraphics component (affecting iOS, iPadOS, macOS, and watchOS) when processing JBIG2-encoded data in PDF or PSD files. The flaw allows remote code execution via a malicious file sent through iMessage, requiring no user interaction. It was exploited in the wild by NSO Group's Pegasus spyware.
CoreGraphics-kehyksen haavoittuvuus, joka mahdollistaa mielivaltaisen koodin suorittamisen laitteessa.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.