CVE-2021-30860 is an integer overflow vulnerability in Apple CoreGraphics during processing of maliciously crafted PDF content, specifically in JBIG2-encoded data handled by the CoreGraphics JBIG2 parser. Public technical analysis ties the bug to the JBIG2 text-region parsing path, including the readTextRegionSeg logic, where accumulation of referenced symbol counts into a 32-bit value can overflow, leading to an undersized heap allocation and subsequent out-of-bounds writes. In observed exploitation, attackers delivered a PDF containing a JBIG2 stream disguised as a .gif attachment via iMessage, causing IMTranscoderAgent/ImageIO/CoreGraphics to parse attacker-controlled content. This exploit chain, widely referred to as FORCEDENTRY, was used as a zero-click entry point to compromise Apple devices and bypass BlastDoor-era messaging protections.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository is a sophisticated proof-of-concept exploit for the FORCEDENTRY vulnerability (CVE-2021-30860) affecting iOS 14.4 and below. The exploit targets the iMessage zero-click attack surface by generating a malicious PDF file containing a specially crafted JBIG2 stream. The Python scripts in the 'docker/libs' directory handle the construction of the exploit payload, including heap manipulation and PDF generation. The main entry point is 'docker/forcedentry', which orchestrates the exploit flow, including Frida-based instrumentation for process tracing and payload delivery. The Objective-C code in 'docker/poc-app/poc-app/clazz.m' constructs a payload chain that leverages private iOS frameworks and Objective-C runtime features to achieve code execution. The payload demonstrates its effect by launching the Calculator app on the target device, proving arbitrary code execution. The exploit requires the attacker to have network access to the device (typically via SSH and Frida port forwarding) and is designed for research and demonstration purposes. The repository includes both the exploit logic and a minimal iOS app project for payload delivery and testing. Overall, the repository demonstrates a full exploit chain from PDF generation to sandbox escape and code execution, with a focus on the iMessage attack vector and iOS platform.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Zero-click remote code execution vulnerability in Apple CoreGraphics used by the FORCEDENTRY Pegasus exploit chain against iMessage.
Zero-click exploit chain targeting iPhones, centered on an integer overflow in Apple CoreGraphics when processing JBIG2-encoded PDF content delivered via iMessage disguised as GIF files. Significant because it enabled compromise of fully updated iPhones without user interaction and is associated with NSO Group Pegasus operations.
Integer overflow vulnerability in Apple CoreGraphics PDF/JBIG2 processing used by NSO Group's FORCEDENTRY zero-click iMessage exploit chain to achieve code execution.
A zero-click iMessage exploit chain entry vulnerability in Apple CoreGraphics' PDF/JBIG2 parsing, used via a disguised GIF/PDF file to achieve remote exploitation on iPhones. It is significant because it was used by NSO Group's Pegasus spyware in the wild and is described as one of the most technically sophisticated exploits observed.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.