## https://sploitus.com/exploit?id=7D4BEA75-ACE5-53A2-BFB4-628C39970586
# CVE-2026-28992 โ IOHIDFamily FastPathUserClient PoC
Security research repository. Two PoC apps demonstrating the race conditions in `IOHIDFamily`'s `FastPathUserClient` on iOS 18.7.1 and earlier.
> **โ ๏ธ Both PoCs will kernel-panic and reboot your device. Save your work first.**
---
## Vulnerability Summary
| Field | Detail |
|-------|--------|
| **CVE** | CVE-2026-28992 |
| **Component** | IOHIDFamily โ `IOHIDEventServiceFastPathUserClient` |
| **Type** | Memory corruption (race condition / UAF) |
| **Reachable from** | Normal app sandbox, **zero entitlements required** |
| **Patched in** | iOS 18.7.9 / iOS 26.5 |
| **Researcher** | Johnny Franks (@zeroxjf) |
### Root Cause
`sel0` (open/gate) checks `FastPathHasEntitlement` and `FastPathMotionEventEntitlement`
in the **caller-supplied OSDictionary** rather than the entitlement flags stored during
`initWithTask`. A sandboxed app passes the gate by including those keys in its input dict.
Two vectors follow from there:
---
## UAFPoc โ Use-After-Free
`UAFPoc/UAFPoc.xcodeproj`
**Race:** `close` (sel1) drops provider state and clears offset `+0x109` without a lock.
`copyEvent` (sel2) checks offset `+0x108` under a per-connection lock, then calls into
the provider. Multiple connections to the same provider mean close and copyEvent run in
**different locking domains** on the same shared provider-side objects.
**Crash type:**
- A17+ (MTE): kernel MTE tag check fault
- Pre-A17: kernel data abort
---
## AOPPanicPoc โ AOP Coprocessor Watchdog
`AOPPanicPoc/AOPPanicPoc.xcodeproj`
**Race:** `mach_port_destroy` triggers async `didTerminate โ teardown`, unsynchronized
with concurrent `sel0` open paths on other connections. Teardown frees provider-facing
state while opener threads iterate it. Also saturates SPU-backed providers' mailbox โ
AOP watchdog timeout.
---
## How to Build & Sideload
### Requirements
- macOS with Xcode 15+
- Apple Developer account (free tier works for sideloading)
- iPhone 16e on iOS 18.7.1 (or any iOS 15.0โ18.7.8 / 26.0โ26.4.x device)
### Steps
```bash
git clone https://github.com/clogan9019-dotcom/IOHIDFamily-PoC-Research.git
cd IOHIDFamily-PoC-Research
```
**UAF variant:**
1. Open `UAFPoc/UAFPoc.xcodeproj` in Xcode
2. Select your device in the top bar
3. Set your Team in Signing & Capabilities (your Apple ID is fine)
4. Product โ Run (โR) โ Xcode will install and launch it directly
**AOP variant:**
1. Open `AOPPanicPoc/AOPPanicPoc.xcodeproj` in Xcode
2. Same signing steps
3. Product โ Run (โR)
### Getting the Panic Log
After the device reboots:
1. Plug into Mac
2. Open Xcode โ Window โ Devices and Simulators โ View Device Logs
3. Find the most recent `Panic` log (`.ips` file)
4. Save it to `panic-logs/` and commit for analysis
Alternatively via Terminal:
```bash
# After reboot, pull the log
idevicecrashreport -u ./panic-logs/
```
---
## What to Look For in the Panic Log
On **A18 (iPhone 16e)** you should see one of:
- `MTE tag check fault` โ the UAF variant freeing and reallocating a tagged heap object
- `AOP watchdog timeout` โ the AOP variant saturating the SPU mailbox
Key fields to note:
```
Kernel version: Darwin Kernel Version ...
Hardware Model: iPhone17,5
panic(cpu N ...):
Backtrace:
... IOHIDEventServiceFastPathUserClient ...
```
The function names in the backtrace tell you exactly which code path triggered.
---
## Disclosure Timeline
| Date | Event |
|------|-------|
| Unknown | Bug discovered by Johnny Franks (@zeroxjf) |
| May 11, 2026 | Patched in iOS 18.7.9 / iOS 26.5 |
| June 21, 2026 | Public PoC code released |
---
## Reporting to Apple
Unpatched variants or related bugs can be reported at:
**https://security.apple.com/submit**
For kernel bugs: describe component, reproduction steps, crash type, and attach the `.ips` panic log.
---
## Related CVEs on iOS 18.7.1
| CVE | Component | Status on 18.7.1 |
|-----|-----------|-----------------|
| CVE-2025-43510 | AppleM2ScalerCSCDriver (DarkSword Stage 5) | Unpatched (fixed in 18.7.2) |
| CVE-2026-28992 | IOHIDFamily FastPathUserClient | **Unpatched** (fixed in 18.7.9) |
| CVE-2026-43655 | AppleM2ScalerCSCDriver OOB read | **Unpatched and never backported to 18.x** |
| CVE-2026-20687 | Kernel UAF โ write kernel memory | Unpatched (fixed in 18.7.7) |
---
*For educational and responsible disclosure purposes only.*