WebKit-UAF-ANGLE-OOB-Analysis (CVE-2025-43529, CVE-2025-1417... #1791
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://github.com/zeroxjf/WebKit-UAF-ANGLE-OOB-Analysis Content Categories: Based on the analysis, this content was categorized under "🎯 Binary Exploitation -> Chrome Exploiting (create/extend a WebKit/JSC exploitation subpage) and/or 🎯 Binary Exploitation -> iOS Exploiting (WebKit/Safari exploit chains, JSC DFG JIT UAF, butterfly reclaim primitives, arm64e PAC considerations)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Collaborator
Author
|
merge |
carlospolop
deleted the
update_WebKit-UAF-ANGLE-OOB-Analysis__CVE-2025-43529__CVE_20260121_063550
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Scope
Repository notes + PoC material analyzing an iOS Safari exploit chain on iOS 26.1 combining:
- CVE-2025-43529 (JavaScriptCore / WebKit): Use-After-Free from a DFG JIT missing write barrier (store-barrier insertion bug).
- CVE-2025-14174 (ANGLE / Metal backend): Out-of-Bounds write in WebGL2 PBO upload due to a staging-buffer allocation bug.
Repo status / environment
- Status: Work in progress; ...
🔧 Technical Details
JSC DFG missing write barrier → GC UAF (CVE-2025-43529): If a DFG Phi node “escapes” but its Upsilon inputs are not marked escaped, the Store Barrier Insertion Phase (
DFGStoreBarrierInsertionPhase.cpp) may omit a write barrier for a later object store. By forcing GC (e.g., manyArrayBuffer(0x800000)allocations) and widening timing with a long loop, an attacker can cause GC to free an object (or its backing storage) that is still reachable, producing a use-after-free.Butterfly reclaim → boxed/unboxed type confusion primitives: After the UAF frees a structure with indexed storage (e.g., a
Datebutterfly created viaa[0] = 1.1), spray allocations to reclaim the freed butterfly memory as array element storage. Use two array “views” where one interprets the same slots as boxed pointers and another interprets them as Float64. Implementaddrofby writingboxed_arr[0] = objand reading pointe...🤖 Agent Actions
Updated HackTricks with a new iOS WebKit/ANGLE exploitation note and linked it from the iOS exploitation index.
Changes:
webkit-dfg-store-barrier-uaf-angle-oob.mddetailing the JSC DFG store-barrier UAF trigger, butterfly reclaim primitives, arm64e PAC constraints, and ANGLE PBO staging-buffer OOB write.ios-exploiting/README.mdalongside existing Safari/iMessage chain coverage.Tests: Not run (documentation-only changes).
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
📚 Repository Maintenance
All .md files have been checked for proper formatting (headers, includes, etc.).