zeroxjf

Vulnerability Research

IOHIDFamily-FastPathUserClient-Race-Conditions

UAF and AOP coprocessor panic in IOHIDEventServiceFastPathUserClient. No entitlements, reachable from app sandbox.

kernel race condition ☆ 4

AppleJPEGDriver-startDecoder-timeout-UAF

PoC app for an AppleJPEGDriver timeout/error queue UAF leading to a deferred kernel panic (A19 Pro, iOS 26.3 RC)

kernel uaf ☆ 10

AppleKeyStore-close-UAF

AppleKeyStoreUserClient close() Use-After-Free — iOS kernel vulnerability (patched in 26.3 RC)

kernel uaf ☆ 17

SEP-Exhaustion-Kernel-Panic

SEP firmware panic via AppleKeyStore — iOS/macOS 26.x kernel vulnerability

kernel/SEP DoS ☆ 21

AppleSEPKeyStore-UAF-Panic

AppleSEPKeyStore Use-After-Free Panic (iOS/macOS 26.1-26.2)

kernel uaf ☆ 22

Blog

Patching Metal Graphics into vphone

wh1te4ever's vphone VM gets a working paravirt GPU, but Metal needs a shader compiler plugin trapped in the PCC dyld shared cache — extracted images have no relocations and can't load. Clean-room reimplementation from RE, ~230 lines of C++.

iOS 16/17 Tweaks