## https://sploitus.com/exploit?id=E7102E7F-793F-5DB6-A727-BAEC6F72C7C0
# CVE-2025-24257
**IOGPUFamily bitmap_mask underflow โ kernel heap OOB write**
First public PoC. Original discovery by [Wang Yu](https://twitter.com/9iclr) of Cyberserval.
## Vulnerability
The IOGPUFamily kernel extension (`com.apple.IOGPU`) contains an integer underflow in `newResourceGroup()`:
```c
bitmap_mask = (capacity >> 6) - 1;
```
When `capacity **WARNING**: This will immediately crash your device. It will reboot.
## Technical Details
| Field | Value |
|-------|-------|
| Service | `IOGPU` |
| User client type | 1 |
| Selector | 9 (`s_new_resource`) |
| structIn size | 128 bytes |
| structIn[0] | 3 (resource group) |
| structIn[56] | 1 (capacity) |
| bitmap_mask | `0xFFFFFFFF` (underflow from `(1>>6)-1`) |
| Bitmap alloc | 8 bytes in `kalloc.type.var*.16` |
| Panic PC | `sub_FFFFFFF009863C7C` (bitmap iterator) |
## Panic Log Signature
```
panic: kernel data abort
FAR: 0xffffffe0XXXXXXXX (unmapped, past zone page)
PC: 0xFFFFFFF009863C7C (IOGPUFamily bitmap iterator)
x27: 1 (capacity of vulnerable group)
```
## Root Cause (Pseudocode)
```c
void newResourceGroup(uint32_t capacity) {
// BUG: no check for capacity > 6) - 1; // 0xFFFFFFFF when capacity = 64` before computing `bitmap_mask`.
## Credits
- **Vulnerability Discovery**: Wang Yu of Cyberserval
- **PoC Development**: CrazyMind90 (with Claude Code)
- **Apple Advisory**: [HT210346](https://support.apple.com/en-us/HT210346)
## Disclaimer
This PoC is provided for **defensive security research and education only**. The vulnerability is fully patched. Do not use this against devices you do not own. The author is not responsible for misuse.
## License
MIT