The vulnerability, identified as CVE-2021-30869 , is present in the XNU kernel component on modern Apple operating systems. This is the sixteenth zero-day vulnerability patched by Apple this year. Now macOS and iOS also getting a huge number of zero-days as compare to the last couple of years.
As Shane Huntley, head of the Google Threat Analysis Group, explained, the vulnerability in XNU is one of two links in the exploit chain. Hackers use it, together with a known vulnerability in WebKit, to execute malicious code in the victim's browser and escalate its privileges in order to gain control over the attacked device.
Huntley said his team will provide more details on the attacks in 30 days so that users have time to update, as the likelihood of attacks will increase significantly after publication.
Security updates have been released for macOS Catalin and iOS 12.5.5, which means the vulnerability does not affect newer iOS versions such as iOS 14 and 15.
Apple also ported two patches for other zero-day vulnerabilities released on September 13, 2021. Originally targeted at iOS 14 (CVE-2021-30860 and CVE-2021-30858), fixes are now also available for older iPhones running iOS 12.