[CVE Pending] WebKit JSC Integer Overflow – OOB Write via Gigacage (iOS 26.2)
--------------------------------------------------------------------Full
advisory, PoC, and logs:
[https://github.com/JGoyd/0day-GigaCage-Webkit]
--------------------------------------------------------------------
1. Executive Summary
A critical vulnerability exists in the WebKit JavaScriptCore (JSC)
engine. Integer overflow in memory offset calculations for
ArrayBuffer, TypedArray, and WebAssembly enables out-of-bounds
(OOB) memory access. Gigacage currently mitigates this via process
termination, but the underlying logic flaw could be used for remote
code execution if combined with a mitigation bypass.
--------------------------------------------------------------------
2. Environment Details
OS: iOS 26.2 (Build 23C55)
WebKit: 8623.1.14.10.9
Crash: EXC_GUARD (Namespace 31: Gigacage Primitive Partition)
Offset: 0xADD7476C
Device: iPhone 15,3 (iPhone 14 Pro Max)
UUID: af25fa78-ae3e-3bf4-b320-4404d3a36a77
--------------------------------------------------------------------
3. Technical Analysis (CWE-190)
Vulnerability occurs during offset calculation for TypedArray and
DataView. If 'index * elementSize' wraps at the 32-bit boundary, the
overflowed value can pass initial bounds checks. When added to the
Gigacage base pointer, this can exceed the 16GB boundary, triggering
a guard violation.
The flaw is also reachable via the WebAssembly JIT, which may elide
bounds checks; wraparound in 32-bit arithmetic permits unsanitized
JITed memory access.
--------------------------------------------------------------------
4. Proof of Concept (PoC)
JavaScript (DataView vector):
const buffer = new ArrayBuffer(1024);
const view = new DataView(buffer);
// 0xFFFFFFFE + 4 wraps at 32-bits
view.setUint32(0xFFFFFFFE, 0x41414141);
WebAssembly (JIT vector):
;; (i32.add (i32.const 0xFFFFFFFF) (i32.const 0x5)) wraps to 0x4
(i32.load offset=0)
Reproduction Steps:
1. Host PoC HTML on HTTPS server.
2. Access with Mobile Safari on iOS 26.2.
3. Observe termination of WebContent process.
4. Confirm offset 0xADD7476C in crash log.
--------------------------------------------------------------------
5. Remediation
Implement checked arithmetic in the following components:
- Source/JavaScriptCore/runtime/JSArrayBufferView.cpp
- Source/JavaScriptCore/runtime/JSDataView.cpp
Proposed fix:
size_t byteOffset;
if (__builtin_mul_overflow(static_cast<size_t>(index),
m_elementSize, &byteOffset)) {
return throwOverflowError();
}
--------------------------------------------------------------------
6. Supporting Evidence
Consistent crash offset and namespace 31 violation found in:
ExcUserFault_MobileSafari-2025-12-25-131432.ips
ExcUserFault_SafariViewService-2025-12-25-062945.ips
--------------------------------------------------------------------
7. Disclosure
Apple Security is being notified at the same time as this public
mailing list post, as they are CC'd on this email. This is not a
coordinated disclosure; notification to Apple and the broadercommunity is
occurring simultaneously.
--------------------------------------------------------------------
8. Legal Disclaimer
Provided for authorized security research only.
Unauthorized use is prohibited and may be unlawful.
--------------------------------------------------------------------
Thank you,
Joseph Goydish II
