Code Iterates, Minds Innovate

This post documents the complete exploitation of a type declaration error in WebKit’s JavaScriptCore DFG compiler — from NodeResultInt32 (should have been NodeResultJS) in the DFGNodeType.h macro table, through GC write barrier bypass triggering Use-After-Free, escalating step by step to stable arbitrary memory read/write (AAR/AAW) on a stock, non-jailbroken iPhone (iOS 26.1). End-to-end success rate is approximately 80%. Field Value Vulnerability location Source/JavaScriptCore/dfg/DFGNodeType.h — MapIterationEntryKey node Bugzilla 304950 rdar 167200795 Fix commit 3f6f7836068 (cherry-pick 47b55468bf82) Affected versions Safari ≤ 26.2 (WebKit 7623.1.14.11.9) Fixed in Safari 26.3 (20623.2.7) — Security advisory Target devices iPhone / vphone (iOS 26.1) and macOS 26.2 Exploit success rate ~80% (failures typically manifest as page reloads; unresponsive crashes are rare) Vulnerability Overview During JavaScript-to-machine-code compilation, JavaScriptCore (JSC) employs an intermediate-tier compiler called DFG (Data Flow Graph). DFG attaches an output type declaration (NodeResult) to each IR node, telling subsequent optimization passes what type of value the node produces. ...

Background vphone-cli boots a real iOS 26 virtual machine on Apple Silicon Macs. It is not the Xcode Simulator (which compiles iOS apps for the host architecture); it uses Apple’s private Virtualization.framework PV=3 (Platform Version 3) APIs — the same infrastructure Apple built for Private Cloud Compute (PCC) security research VMs. Under the hood, vphone-cli patches the entire iOS boot chain — AVPBooter, iBSS, iBEC, LLB, TXM, and the kernelcache — to bypass signature verification and allow a custom firmware to boot inside the VM. The jailbreak variant applies 127 binary patches across the boot chain and CFW installation, enabling full root/SSH/Sileo/TrollStore on the guest. ...

Vulnerability Overview CVE-2026-20660 is a path handling vulnerability in Apple’s CFNetwork framework that allows a remote attacker to write files to arbitrary locations on the victim’s filesystem by serving a malicious gzip file. Field Details Component CFNetwork (macOS) Impact A remote user may be able to write arbitrary files Fix Description A path handling issue was addressed with improved logic Fixed In Safari 26.3 / macOS Sequoia 26.3 (2026-02-11) Discovered By Amy Vulnerability Class Path Traversal via Gzip FNAME header (RFC 1952) Trigger Condition Safari “Open safe files after downloading” enabled (on by default) Advisory Apple Security Release - Safari 26.3 Disclosure note: This is a 1-day analysis performed independently after Apple released the fix in Safari 26.3. The original vulnerability was discovered and reported by Amy. All testing was conducted on macOS with the affected version (Safari 26.2 / macOS 26.2.1) against locally controlled systems. ...

For any serious reverse engineer, keeping a clean and organized scripting environment is key. Using a Python virtual environment (venv) for your IDA Pro projects is the best way to manage dependencies and avoid conflicts. Many online guides are outdated, recommending methods that no longer work. This post provides a single, modern, and straightforward solution to connect a Python venv to IDA Pro on macOS using the official, built-in IDAPythonrc startup script. ...

Have you ever wanted to peek inside an app on your iPhone or iPad to see exactly what data it’s processing, especially to understand what information it’s sending or receiving? Today, I’ll introduce you to a simple yet powerful method using Frida, which enables you to dynamically detect the parameters of a special piece of code called a “block” within iOS applications. First: What Exactly is a Block? In iOS programming, a block is a small, self-contained piece of code that you can pass around your app to be executed later. Imagine it as giving your phone number (the block) to a friend who can then call you when something important happens. ...