From a One-Byte Type Error in DFG JIT to Arbitrary Memory Read/Write on iPhone
This post documents the complete exploitation of a type declaration error in WebKit’s JavaScriptCore DFG compiler — from NodeResultInt32 (should have been NodeResultJS) in the DFGNodeType.h macro table, through GC write barrier bypass triggering Use-After-Free, escalating step by step to stable arbitrary memory read/write (AAR/AAW) on a stock, non-jailbroken iPhone (iOS 26.1). End-to-end success rate is approximately 80%. Field Value Vulnerability location Source/JavaScriptCore/dfg/DFGNodeType.h — MapIterationEntryKey node Bugzilla 304950 rdar 167200795 Fix commit 3f6f7836068 (cherry-pick 47b55468bf82) Affected versions Safari ≤ 26.2 (WebKit 7623.1.14.11.9) Fixed in Safari 26.3 (20623.2.7) — Security advisory Target devices iPhone / vphone (iOS 26.1) and macOS 26.2 Exploit success rate ~80% (failures typically manifest as page reloads; unresponsive crashes are rare) Vulnerability Overview During JavaScript-to-machine-code compilation, JavaScriptCore (JSC) employs an intermediate-tier compiler called DFG (Data Flow Graph). DFG attaches an output type declaration (NodeResult) to each IR node, telling subsequent optimization passes what type of value the node produces. ...