Attackers can use the vulnerabilities to cause memory corruption with maliciously crafted web content, and to take advantage of a use-after-free bug.
This allows attackers to run arbitrary code on users’ devices.
No details were provided by Apple around when and against whom the vulnerabilities were used.
The vulnerabilities indexed as CVE-2021-30761 and CVE-2021-30762 were both attributed to an anonymous security researcher.
Apple also released a patch in iOS 12.5.4 that handles a memory corruption issue in code used to process digital certificates using the Abstract Syntax Notation One (ASN.1) interface description language.
The bug, CVE-2021-30737, could be used to run arbitrary code on users’ devices and was fixed in iOS and iPadOS 14.6 and macOS Big Sur 11.4 on May 25 this year prior to the release of today’s patch for iOS 12.