Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection

Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. Details Autoupdate/AppInstaller.m's shouldAcceptNewConnection: only enforces SUCodeSigningVerifier validateConnection: before stage 1 completes. After...

PT-2026-45020

Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. Details Autoupdate/AppInstaller.m's shouldAcceptNewConnection: only enforces SUCodeSigningVerifier validateConnection: before stage 1 completes. After...

Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

Posted by Dillon Franke, Google Information Security Engineering, 20% time on Project Zero In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability CVE-2024-54529 and a double-free vulnerability CVE-2025-312...

MacOS CoreAudio Framework Sandbox Escape Exploit

MacOS suffers from a sandbox escape vulnerability due to a type confusion issue in coreaudiod/CoreAudio Framework. The com.apple.audio.audiohald Mach service on MacOS is hosted by the coreaudiod process. This process exposes the Hardware Abstraction Layer HAL of the CoreAudio framework, which...

MacOS CoreAudio Framework Sandbox Escape

MacOS suffers from a sandbox escape vulnerability due to a type confusion issue in coreaudiod/CoreAudio Framework. The com.apple.audio.audiohald Mach service on MacOS is hosted by the coreaudiod process. This process exposes the Hardware Abstraction Layer HAL of the CoreAudio framework, which...

PT-2025-4295 · Stats · Stats

Name of the Vulnerable Software and Affected Versions: Stats versions prior to 2.11.21 Description: The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the name...

Kaspersky: [Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service

Note! Thank you for your report. For the purposes of the further analysis of the vulnerability, that you kindly report to us, could you please fill all fields in square brackets. This information will help us to respond you more quickly and triage your report. Thanks a lot for your assistance...

MacOS Kernel 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement Exploit

Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=977 syslogd running as root hosts the com.apple.system.logger mach service. It's part of the system.sb sandbox profile and so reachable from a lot of sandboxed contexts. Here's ...

Apple macOS 10.12.1 iOS 10.2 - powerd Arbitrary Port Replacement

Apple macOS 10.12.1 iOS 10.2 - powerd Arbitrary Port Replacement / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=976 powerd running as root hosts the com.apple.PowerManagement.control mach service. It checks in with launchd to get a server port and then wraps that in a CFPort:...

Apple macOS 10.12.1 / iOS &lt; 10.2 - syslogd Arbitrary Port Replacement

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=977 syslogd running as root hosts the com.apple.system.logger mach service. It's part of the system.sb sandbox profile and so reachable from a lot of sandboxed contexts. Here's a snippet from its mach message handling loop...

OS X networkd Sandbox Escape

// Requires Lorgnette: https://github.com/rodionovd/liblorgnette // clang -o networkdexploit networkdexploit.c liblorgnette/lorgnette.c -framework CoreFoundation // ianbeer include include include include include include include include include include include include include...