## https://sploitus.com/exploit?id=16B187A7-E8B0-57F0-B742-A562E1735D0F
# CVE-2026-20698 โ XNU Kernel Heap Overflow via PF_ROUTE RTA_GENMASK
## Overview
Heap buffer overflow in XNU's routing socket (`PF_ROUTE`) when processing `RTA_GENMASK` in `route_msg()`. Triggers kernel panic from an unprivileged process with no entitlements.
- **CVE**: CVE-2026-20698 (credited to DARKNAVY)
- **Affected**: iOS < 26.4, macOS < 26.4
- **Patched**: iOS 26.4 (returns `ENOBUFS` instead of processing oversized genmask)
- **Impact**: Kernel panic / denial of service, potential heap corruption
- **Apple Report**: OE110531644254 (independently discovered, closed as already patched)
## Files
- `pf_route_crash.c` โ Minimal PoC (triggers kernel panic)
- `variant_probe.c` โ Variant analysis across route families
- `family_probe.c` โ Family enumeration probe
- `route_26_4_variants.c` โ Post-patch variant testing (26.4)
- `genmask_escalate.c` โ Escalation attempt analysis
- `variant_26_4_test.m` โ iOS app variant test
- `single_family.c` โ Single family isolation test
- `APPLE_SUBMISSION.md` โ Original Apple Security Bounty submission
- `panic_iphone17_26.3.1.ips` โ Kernel panic log from iPhone 17 Pro Max
## Note
This CVE was officially assigned to **DARKNAVY**, who reported it before us. We independently discovered the same vulnerability through kernel source code analysis and binary testing on a real iPhone 17 Pro Max. Our Apple Security Bounty submission (OE110531644254) was closed as the issue was already patched in iOS 26.4.
## Researcher
Somair Ansar (somairansar71@gmail.com)
Independently discovered, submitted 29/03/2026. Not the original reporter.