GitHub - MEKOD/not-a-security-issue: A deterministic Use-After-Free (UAF) in com.apple.iokit.IOSurface affecting macOS 15.x through 26.x. Reported to Apple, but they were 'unable to identify a security issue.' So, here is the PoC for the community to decide.

2 min read Original article โ†—

๐ŸŽ IOSurface Kernel Teardown Panic (macOS 15.x / 26.x)

This repository documents a deterministic kernel panic triggered from an unprivileged user context within com.apple.iokit.IOSurface, affecting both macOS 15.x and the latest 26.x releases.

๐Ÿ›ก๏ธ Disclosure Context

This issue was reported to Apple and underwent their official security review process. Apple's final determination was:

"Weโ€™re unable to identify a security issue in your report."

As this has been officially classified by the vendor as not a security vulnerability, this Proof of Concept is being shared publicly as a technical curiosity regarding system stability and "intended" kernel behavior.

๐Ÿงฉ Technical Summary

The PoC triggers a kernel panic during process teardown by inducing a complex state within the IOSurface memory management logic.

Key Observations:

  • Zero Privileges Required: Can be triggered by any standard userland process.
  • Stateful Corruption: Requires a specific sequence of ~386,000 operations to prime the kernel heap.
  • Deterministic: Replicates the exact crash state every time using a fixed RNG seed.
  • Reliable Results: Consistently leads to a system-wide Denial of Service (Kernel Panic).

โš™๏ธ Mechanics

  1. Heap Grooming: Strategic fragmentation of the kernel heap.
  2. Deterministic Mutation: Synchronized property manipulation.
  3. Massive Key Injection: Forcing specific allocation patterns (~65KB).
  4. Teardown Trigger: The panic occurs during the cleanup of these "non-security" structures.

๐Ÿ› ๏ธ Build & Run

# Compile with Apple-specific framework linking
clang++ -Wall -O3 not_a_security_issue.cpp -o poc \
  -framework IOSurface \
  -framework CoreFoundation \
  -framework IOKit

./poc

Note: Your system will perform a rapid reboot shortly after execution.

๐Ÿ“Š Fact Sheet

  • Target: com.apple.iokit.IOSurface
  • Class: Memory Corruption / Denial of Service
  • Status: Confirmed by Vendor as Non-Vulnerability

โš–๏ธ Legal & Ethical Disclaimer

This repository is for educational and research purposes only. Since the vendor has officially stated that this behavior does not constitute a security issue, the author is sharing this documentation under the assumption that it poses no risk to the security of macOS users. The author is not responsible for any system crashes, data loss, or "stability improvements" resulting from the use of this code.

Use at your own risk. Or don'tโ€”after all, it's not a security issue.