IOSurface — Destructor-Order Use-After-Free
An object is unlinked and freed during its own teardown path before the base-destructor chain completes.
Research
Independent vulnerability research on iOS and adjacent surfaces. Approach pairs targeted reverse engineering with AI-assisted analysis at scale.
Published Disclosures
Current Findings
AppleJPEGDriver — Out-of-Bounds Read
A user-controlled length field in the decode path is not bounds-checked against the in-bounds tail size. Triggerable from app sandbox with no entitlements.
AppleJPEGDriver — Input-Lifetime Use-After-Free
Pointers into caller-owned externalMethod input storage are retained in a queued request and dereferenced after the storage has gone out of scope. Triggerable from app sandbox with no entitlements.
AppleJPEGDriver — Stack-Lifetime Use-After-Free
Pointers to stack-resident encode data are retained across function return in a queued request path. Triggerable from app sandbox with no entitlements.
Inquiries: contact@enfilade.io · PGP