Share
## https://sploitus.com/exploit?id=7D4BEA75-ACE5-53A2-BFB4-628C39970586
# CVE-2026-28992 โ€” IOHIDFamily FastPathUserClient PoC

Security research repository. Two PoC apps demonstrating the race conditions in `IOHIDFamily`'s `FastPathUserClient` on iOS 18.7.1 and earlier.

> **โš ๏ธ Both PoCs will kernel-panic and reboot your device. Save your work first.**

---

## Vulnerability Summary

| Field | Detail |
|-------|--------|
| **CVE** | CVE-2026-28992 |
| **Component** | IOHIDFamily โ€” `IOHIDEventServiceFastPathUserClient` |
| **Type** | Memory corruption (race condition / UAF) |
| **Reachable from** | Normal app sandbox, **zero entitlements required** |
| **Patched in** | iOS 18.7.9 / iOS 26.5 |
| **Researcher** | Johnny Franks (@zeroxjf) |

### Root Cause

`sel0` (open/gate) checks `FastPathHasEntitlement` and `FastPathMotionEventEntitlement`
in the **caller-supplied OSDictionary** rather than the entitlement flags stored during
`initWithTask`. A sandboxed app passes the gate by including those keys in its input dict.

Two vectors follow from there:

---

## UAFPoc โ€” Use-After-Free

`UAFPoc/UAFPoc.xcodeproj`

**Race:** `close` (sel1) drops provider state and clears offset `+0x109` without a lock.
`copyEvent` (sel2) checks offset `+0x108` under a per-connection lock, then calls into
the provider. Multiple connections to the same provider mean close and copyEvent run in
**different locking domains** on the same shared provider-side objects.

**Crash type:**
- A17+ (MTE): kernel MTE tag check fault
- Pre-A17: kernel data abort

---

## AOPPanicPoc โ€” AOP Coprocessor Watchdog

`AOPPanicPoc/AOPPanicPoc.xcodeproj`

**Race:** `mach_port_destroy` triggers async `didTerminate โ†’ teardown`, unsynchronized
with concurrent `sel0` open paths on other connections. Teardown frees provider-facing
state while opener threads iterate it. Also saturates SPU-backed providers' mailbox โ†’
AOP watchdog timeout.

---

## How to Build & Sideload

### Requirements
- macOS with Xcode 15+
- Apple Developer account (free tier works for sideloading)
- iPhone 16e on iOS 18.7.1 (or any iOS 15.0โ€“18.7.8 / 26.0โ€“26.4.x device)

### Steps

```bash
git clone https://github.com/clogan9019-dotcom/IOHIDFamily-PoC-Research.git
cd IOHIDFamily-PoC-Research
```

**UAF variant:**
1. Open `UAFPoc/UAFPoc.xcodeproj` in Xcode
2. Select your device in the top bar
3. Set your Team in Signing & Capabilities (your Apple ID is fine)
4. Product โ†’ Run (โŒ˜R) โ€” Xcode will install and launch it directly

**AOP variant:**
1. Open `AOPPanicPoc/AOPPanicPoc.xcodeproj` in Xcode
2. Same signing steps
3. Product โ†’ Run (โŒ˜R)

### Getting the Panic Log

After the device reboots:
1. Plug into Mac
2. Open Xcode โ†’ Window โ†’ Devices and Simulators โ†’ View Device Logs
3. Find the most recent `Panic` log (`.ips` file)
4. Save it to `panic-logs/` and commit for analysis

Alternatively via Terminal:
```bash
# After reboot, pull the log
idevicecrashreport -u  ./panic-logs/
```

---

## What to Look For in the Panic Log

On **A18 (iPhone 16e)** you should see one of:
- `MTE tag check fault` โ€” the UAF variant freeing and reallocating a tagged heap object
- `AOP watchdog timeout` โ€” the AOP variant saturating the SPU mailbox

Key fields to note:
```
Kernel version:      Darwin Kernel Version ...
Hardware Model:      iPhone17,5
panic(cpu N ...):    
Backtrace:
  ... IOHIDEventServiceFastPathUserClient ...
```

The function names in the backtrace tell you exactly which code path triggered.

---

## Disclosure Timeline

| Date | Event |
|------|-------|
| Unknown | Bug discovered by Johnny Franks (@zeroxjf) |
| May 11, 2026 | Patched in iOS 18.7.9 / iOS 26.5 |
| June 21, 2026 | Public PoC code released |

---

## Reporting to Apple

Unpatched variants or related bugs can be reported at:
**https://security.apple.com/submit**

For kernel bugs: describe component, reproduction steps, crash type, and attach the `.ips` panic log.

---

## Related CVEs on iOS 18.7.1

| CVE | Component | Status on 18.7.1 |
|-----|-----------|-----------------|
| CVE-2025-43510 | AppleM2ScalerCSCDriver (DarkSword Stage 5) | Unpatched (fixed in 18.7.2) |
| CVE-2026-28992 | IOHIDFamily FastPathUserClient | **Unpatched** (fixed in 18.7.9) |
| CVE-2026-43655 | AppleM2ScalerCSCDriver OOB read | **Unpatched and never backported to 18.x** |
| CVE-2026-20687 | Kernel UAF โ†’ write kernel memory | Unpatched (fixed in 18.7.7) |

---

*For educational and responsible disclosure purposes only.*