One (Thread) Can Keep a (PRNG) Secret, but Not Two

We present a novel, practical attack on the IPv6 Fragment ID generation algorithm of XNU, which is the kernel used by Apple products such as macOS and iOS. This attack exploits a race-condition vulnerability in the algorithm's pseudorandom number generator PRNG to cryptanalytically break, learn t...

Exploit for Out-of-bounds Write in Apple Ipados

CVE-2026-20698 — XNU Kernel Heap Overflow via PFROUTE RTAGEN...

📄 macOS 10.13.4 (17E199) fgetattrlist Heap Overflow

Proof of concept Metasploit module that exploits a macOS version 10.13.4 heap overflow vulnerability. A kernel heap overflow exists in fgetattrlist due to missing lower-bound buffer size validation when writing returned attributes to caller-supplied memory...

📄 macOS 10.12.2 XNU Kernel Privilege Escalation

This proof of concept targets a race‑condition vulnerability in the XNU kernel affecting macOS/iOS. By forcing a use‑after‑free condition on kernel ports, the exploit manipulates freed memory through a controlled spray, allowing a user‑controlled replacement object. Successful exploitation yields...

Modern IOS Security Features -- a Deep Dive into SPTM, TXM, and Exclaves

The XNU kernel is the basis of Apple's operating systems. Although labeled as a hybrid kernel, it is found to generally operate in a monolithic manner by defining a single privileged trust zone in which all system functionality resides. This has security implications, as a kernel compromise has...

EUVD-2013-3887

Malware in sbrugna...

EUVD-2007-4668

Malware in sbrugna...

PT-2025-3034 · Apple · Xnu Kernel +3

Name of the Vulnerable Software and Affected Versions: macOS versions prior to 15.2 iOS versions prior to 18.2 iPadOS versions prior to 18.2 Description: A type confusion issue was addressed with improved memory handling. An attacker with user privileges may be able to read kernel memory due to...

Exploit for Out-of-bounds Write in Apple Ipados

CVE-2024-27815 XNU kernel buffer overflow. Introduced in xnu...

PT-2024-13027

Name of the Vulnerable Software and Affected Versions Apple iOS versions prior to 17 Apple iPadOS versions prior to 17 Apple macOS versions prior to 14 Description This issue involves a use-after-free condition addressed through improved memory management. A malicious application may potentially...

Exploit for Race Condition in Apple Safari

MacDirtyCow Example of CVE-2022-46689 aka MacDirtyCow. Wh...

Designing sockfuzzer, a network syscall fuzzer for XNU

Posted by Ned Williamson, Project Zero Introduction When I started my 20% project – an initiative where employees are allocated twenty-percent of their paid work time to pursue personal projects – with Project Zero, I wanted to see if I could apply the techniques I had learned fuzzing Chrome to...

The core of Apple is PPL: Breaking the XNU kernel's kernel

Posted by Brandon Azad, Project Zero While doing research for the one-byte exploit technique, I considered several ways it might be possible to bypass Apple's Page Protection Layer PPL using just a physical address mapping primitive, that is, before obtaining kernel read/write or defeating PAC...

iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the XNU kernel lio_listio() function

Overview iOS, iPadOS, tvOS, watchOS, and macOS contain a double-free vulnerability in the GNU kernel's liolistio function, which can allow a malicious application to achieve unsandboxed, kernel-level code execution. Description iOS, iPadOS, tvOS, watchOS, and macOS contain an a double-free...

Project Zero Discloses High-Severity Apple macOS Flaw

Researchers have disclosed what they say is a high-severity security flaw in Apple’s MacOS operating system – which has not yet been patched. The flaw gives an attacker privileges to perform malicious actions on a mounted filesystem – without the victim knowing. The Google Project Zero team...

XNU Kernel iOS / macOS heap buffer overflow Exploit

The vulnerability is a heap buffer overflow in the networking code in the XNU operating system kernel. XNU is used by both iOS and macOS, which is why iPhones, iPads, and Macbooks are all affected. My exploit PoC just overwrites the heap with garbage, which causes an immediate kernel crash and...

XNU kernel heap overflow due to bad bounds checking in MPTCP(CVE-2018-4241)

mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if dst-safamily == AFINET && dst-salen !=...

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP Exploit

Exploit for multiple platform in category dos / poc mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if...

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP

mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for AFINET: if dst-safamily == AFINET && dst-salen !=...

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP

XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP mptcpusrconnectx is the handler for the connectx syscall for the APMULTIPATH socket family. The logic of this function fails to correctly handle source and destination sockaddrs which aren't AFINET or AFINET6: // verify salen for...