Use-after-free in Apple Kernel

This repository is a standalone iOS Xcode project implementing a local proof-of-concept for CVE-2026-20687, a use-after-free in AppleJPEGDriver. The repo is not part of a common exploit framework. Its structure is simple: a README describing the bug and trigger conditions, standard Xcode/iOS app scaffolding (AppDelegate, SceneDelegate, storyboards, plist, assets), and one large Objective-C source file (ios-app/Test/ViewController.m) that contains the substantive exploit/research logic. The main exploit capability is local kernel bug triggering from an app by interacting with the AppleJPEGDriver IOKit user client. The code declares private IOKit entry points such as IOServiceGetMatchingServices, IOServiceOpen, IOConnectCallStructMethod, and IOConnectCallMethod, and reverse-engineers the AppleJPEGDriver request structure used by startDecoder. Comments in ViewController.m document the vulnerable lifecycle: async JPEG decode requests are queued, the client closes or times out, a JpegRequest is freed without removing its embedded queue node, and later queue walking dereferences stale memory, producing an MTE tag-check fault and kernel panic. The README states the practical trigger flow: run the app, tap Panic to prime the driver with async work, then open Camera to trigger the deferred panic during a later synchronous decode. ViewController.m is clearly the core of the repository. Beyond the panic trigger, it contains extensive reverse-engineering notes about JpegRequest layout, offsets, crash path, and request fields, plus helper logic for IOSurface-backed source/destination buffers and measurement/logging code for timing and memory-footprint experiments. That indicates the repository serves both as a PoC and as vulnerability research tooling to study queue/reclaim behavior in the driver. However, there is no post-exploitation payload, persistence, remote delivery, or privilege-escalation chain implemented. No external C2 or remote network infrastructure is present. The only meaningful target endpoint in code is the local IOKit service name AppleJPEGDriver. The exploit is therefore a local attack vector against vulnerable Apple mobile devices, intended to demonstrate denial of service and potentially inform deeper kernel exploitation research.

This repository is a standalone iOS proof-of-concept app for CVE-2026-20687, a use-after-free in AppleJPEGDriver related to startDecoder timeout handling. It is not part of a common exploit framework. The repository contains a small Xcode application scaffold plus one large substantive source file, ios-app/Test/ViewController.m, which implements the vulnerability trigger and research instrumentation. Supporting files include standard AppDelegate/SceneDelegate/main Objective-C boilerplate, storyboard/UI assets, Info.plist, and the Xcode project metadata. The exploit capability is local, on-device kernel attack surface interaction through IOKit rather than network delivery. The PoC opens the AppleJPEGDriver service, prepares IOSurface-backed input/output buffers, and issues decoder requests through low-level IOKit calls such as IOServiceOpen, IOConnectCallStructMethod, and IOConnectCallMethod. Based on the README and source comments, the intended sequence is to queue asynchronous decode work, close the client so the driver leaves an embedded queue node pointer behind after freeing the request on timeout, and then later trigger a synchronous JPEG decode path. When the driver subsequently walks the per-codec queue, it dereferences a stale pointer into freed JpegRequest memory, causing an MTE tag fault and kernel panic. The repository does not provide a full code-execution chain or post-exploitation payload. Its demonstrated outcome is denial of service / forced reboot via kernel panic, though the comments discuss potential PC control and kernel memory write implications from the vulnerable object layout. That makes the code operational as a crash trigger, but still a PoC rather than a weaponized exploit framework. Fingerprintable targets/endpoints are minimal because this is not a network exploit. The main identifiable target is the AppleJPEGDriver IOKit service name. The README also documents a practical environmental trigger: opening the Camera app after pressing the app's Panic button. No external URLs, IPs, C2 domains, registry keys, or remote services are used by the exploit logic itself. Overall purpose: vulnerability research and reproducible triggering of a kernel UAF in AppleJPEGDriver on vulnerable iOS builds. Overall structure: README with vulnerability description and trigger steps; Xcode project files; standard iOS app scaffolding; and a large ViewController.m implementing the actual driver interaction, crafted request structures, logging, timing/footprint measurements, and panic trigger workflow.

This repository contains a real proof-of-concept exploit for CVE-2026-20687, a use-after-free race in AppleSEPKeyStore/AppleKeyStore on Apple platforms. It is not part of a larger exploit framework. The repository is structured as two main exploit implementations plus standard Xcode project scaffolding: (1) a standalone Objective-C PoC in poc.m for direct execution, and (2) an iOS test application under ios-app/Test that exposes the same race through a button in ViewController.m. The remaining files are standard Xcode project, storyboard, plist, and asset files. The core exploit logic is the same in both poc.m and ios-app/Test/ViewController.m. It obtains a handle to the AppleKeyStore IOKit service using IOServiceMatching("AppleKeyStore") and IOServiceGetMatchingService, then creates a high-contention race using shared global state. Eight caller threads continuously invoke IOConnectCallMethod on the current connection across selectors 0 through 15 with a fixed scalar input array, while four closer threads repeatedly call IOServiceClose on that same connection and clear the shared handle. Meanwhile, the main thread rapidly performs 100,000 IOServiceOpen calls with rotating client types 0x2022, 0xbeef, 0x1337, and 0x4141, storing each new connection into the shared atomic variable without delay. This is intended to create a window where the command gate or related object is used after being freed. The exploit does not include a post-exploitation payload such as code execution, privilege escalation, persistence, or networking. Its demonstrated capability is local kernel destabilization: the README explicitly states it will crash the device, and the included panic log shows an IOCommandGate 'element modified after free' panic in com.apple.driver.AppleSEPKeyStore. Therefore, this is best classified as a local kernel race-condition PoC that demonstrates denial of service and supports the claim of potential kernel memory write impact, but does not weaponize that impact. Fingerprintable targets are limited to local system interfaces rather than network infrastructure. The main target is the IOKit service name "AppleKeyStore" and the vulnerable component name "com.apple.driver.AppleSEPKeyStore". The project also references the local framework path System/Library/Frameworks/IOKit.framework. No hardcoded IPs, C2 domains, remote URLs for exploitation, registry keys, or filesystem persistence paths are present. Overall, the repository’s purpose is vulnerability research and reproducible crash demonstration for Apple’s patched CVE-2026-20687.