Share
## https://sploitus.com/exploit?id=61085432-697C-5BB6-B692-B01ADE610CBD
# WebKit-UAF-ANGLE-OOB-Analysis (CVE-2025-43529, CVE-2025-14174)

**Author:** 0xjf
**Status:** Work in Progress
**Test Device:** iPhone 11 Pro Max, iOS 26.1
**Last Updated:** January 2026

---

## Disclaimer

This is an **ongoing research project**. I'm sharing where I'm currently at - the exploit achieves `addrof`/`fakeobj` primitives but full arbitrary read/write is blocked by arm64e PAC. Bypassing PAC is an elusive puzzle, but that's what makes it a fun riddle to try solving. More updates to come as I dig deeper.

---

## Apple Security Advisory Context

These vulnerabilities were disclosed by Apple as part of an **"extremely sophisticated attack against specific targeted individuals"**:

### CVE-2025-43529 (WebKit UAF)

> **WebKit**
> Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
>
> **Impact:** Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.
>
> **Description:** A use-after-free issue was addressed with improved memory management.
> WebKit Bugzilla: 302502
> **CVE-2025-43529:** Google Threat Analysis Group

### CVE-2025-14174 (ANGLE OOB)

> **WebKit**
> Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
>
> **Impact:** Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.
>
> **Description:** A memory corruption issue was addressed with improved validation.
> WebKit Bugzilla: 303614
> **CVE-2025-14174:** Apple and Google Threat Analysis Group

---

## Overview

This repository documents my analysis of the exploit chain. Both CVEs were used together in the wild - the WebKit UAF provides initial code execution in the renderer, and the ANGLE OOB targets the GPU process for sandbox escape.

| CVE | Component | Type | Current Status |
|-----|-----------|------|----------------|
| CVE-2025-43529 | WebKit JavaScriptCore | Use-After-Free | addrof/fakeobj working |
| CVE-2025-14174 | ANGLE (GPU Process) | Out-of-Bounds Write | Trigger confirmed |

---

## CVE-2025-43529: WebKit DFG Store Barrier UAF

### Root Cause

The vulnerability exists in JavaScriptCore's DFG JIT compiler, specifically in the **Store Barrier Insertion Phase** (`DFGStoreBarrierInsertionPhase.cpp`).

The bug occurs when a **Phi node escapes** but its **Upsilon inputs are not marked as escaped**. This causes subsequent stores to those objects to lack write barriers, allowing the garbage collector to free objects that are still reachable.

### Trigger Mechanism

```javascript
function triggerUAF(flag, k, allocCount) {
    let A = { p0: 0x41414141, p1: 1.1, p2: 2.2 };
    arr[arr_index] = A;  // A in old space

    let a = new Date(1111);
    a[0] = 1.1;  // Creates butterfly for Date

    // Force GC
    for (let j = 0; j  0x0000007ffffffffc
(possible pointer authentication failure)
```

### Why The Original Confusion Works

The type confusion succeeds because both arrays use **legitimately signed** butterfly pointers - we're just reinterpreting the same memory. Fake objects with arbitrary unsigned pointers crash on PAC check.

### The Riddle

Finding a PAC bypass is the fun part. Some avenues I'm exploring:

1. JIT code paths that might skip authentication
2. Gadgets that sign arbitrary pointers
3. Leveraging the ANGLE OOB differently
4. Alternative primitives that don't require fake objects

This is where the real puzzle is. More to come.

---

## Current Capabilities

| Primitive | Status | Notes |
|-----------|--------|-------|
| `addrof(obj)` | **Working** | Leak any JS object address |
| `fakeobj(addr)` | **Working** | Create object ref at address |
| Address leaking | **Working** | 20+ addresses per run |
| `read64(addr)` | Blocked | PAC on m_vector/butterfly |
| `write64(addr)` | Blocked | PAC on m_vector/butterfly |

---

## Repository Structure

```
โ”œโ”€โ”€ README.md                 # This file
โ”œโ”€โ”€ poc/
โ”‚   โ”œโ”€โ”€ uaf_trigger.js        # UAF trigger snippet
โ”‚   โ”œโ”€โ”€ primitives.js         # addrof/fakeobj setup
โ”‚   โ””โ”€โ”€ angle_oob.js          # ANGLE OOB trigger
โ””โ”€โ”€ analysis/
    โ”œโ”€โ”€ pac_analysis.md       # Detailed PAC findings
    โ””โ”€โ”€ crash_logs/           # Example crash reports
```

---

## References

- WebKit Bugzilla: 302502, 303614
- Apple Security Updates - iOS 26
- Google Threat Analysis Group

---

**Work in progress. Stay tuned.**