oss-sec mailing list archives

[CVE Pending] WebKit JSC Integer Overflow – OOB Write via Gigacage (iOS 26.2)
--------------------------------------------------------------------Full advisory, PoC, and logs:
[https://github.com/JGoyd/0day-GigaCage-Webkit]
--------------------------------------------------------------------
1. Executive Summary

A critical vulnerability exists in the WebKit JavaScriptCore (JSC)
engine. Integer overflow in memory offset calculations for
ArrayBuffer, TypedArray, and WebAssembly enables out-of-bounds
(OOB) memory access. Gigacage currently mitigates this via process
termination, but the underlying logic flaw could be used for remote
code execution if combined with a mitigation bypass.

--------------------------------------------------------------------
2. Environment Details

OS: iOS 26.2 (Build 23C55)
WebKit: 8623.1.14.10.9
Crash: EXC_GUARD (Namespace 31: Gigacage Primitive Partition)
Offset: 0xADD7476C
Device: iPhone 15,3 (iPhone 14 Pro Max)
UUID: af25fa78-ae3e-3bf4-b320-4404d3a36a77

--------------------------------------------------------------------
3. Technical Analysis (CWE-190)

Vulnerability occurs during offset calculation for TypedArray and
DataView. If 'index * elementSize' wraps at the 32-bit boundary, the
overflowed value can pass initial bounds checks. When added to the
Gigacage base pointer, this can exceed the 16GB boundary, triggering
a guard violation.

The flaw is also reachable via the WebAssembly JIT, which may elide
bounds checks; wraparound in 32-bit arithmetic permits unsanitized
JITed memory access.

--------------------------------------------------------------------
4. Proof of Concept (PoC)

JavaScript (DataView vector):

const buffer = new ArrayBuffer(1024);
const view = new DataView(buffer);
// 0xFFFFFFFE + 4 wraps at 32-bits
view.setUint32(0xFFFFFFFE, 0x41414141);

WebAssembly (JIT vector):

;; (i32.add (i32.const 0xFFFFFFFF) (i32.const 0x5)) wraps to 0x4
(i32.load offset=0)

Reproduction Steps:

1. Host PoC HTML on HTTPS server.
2. Access with Mobile Safari on iOS 26.2.
3. Observe termination of WebContent process.
4. Confirm offset 0xADD7476C in crash log.

--------------------------------------------------------------------
5. Remediation

Implement checked arithmetic in the following components:

- Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
- Source/JavaScriptCore/runtime/JSDataView.cpp

Proposed fix:

size_t byteOffset;
if (__builtin_mul_overflow(static_cast<size_t>(index),
m_elementSize, &byteOffset)) {
return throwOverflowError();
}

--------------------------------------------------------------------
6. Supporting Evidence

Consistent crash offset and namespace 31 violation found in:

ExcUserFault_MobileSafari-2025-12-25-131432.ips
ExcUserFault_SafariViewService-2025-12-25-062945.ips

--------------------------------------------------------------------
7. Disclosure

Apple Security is being notified at the same time as this public
mailing list post, as they are CC'd on this email. This is not a
coordinated disclosure; notification to Apple and the broadercommunity is occurring simultaneously.
--------------------------------------------------------------------
8. Legal Disclaimer

Provided for authorized security research only.
Unauthorized use is prohibited and may be unlawful.

--------------------------------------------------------------------

Thank you,
Joseph Goydish II

Current thread:

• [Advisory] WebKit/iOS 26.2: Gigacage Boundary Violation via Logic Flaw enabling OOB Access Joseph Goydish II (Dec 26)