This page lists various Kernel exploits used in jailbreaks.
Simple Kernel Exploit
- kfd
- kfd, being short for kernel file descriptor, is a project to read and write kernel memory on Apple devices. It leverages various vulnerabilities that can be exploited to obtain dangling PTEs, which will be referred to as a PUAF primitive, short for "physical use-after-free". Then, it reallocates certain kernel objects inside those physical pages and manipulates them directly from user space through the dangling PTEs in order to achieve a KRKW primitive, short for "kernel read/write".
- kfd is a type of kernel exploit that is classified into 3 types:
- oobPCI
- CVE-2022-26763; this exploit can be used to read and write kernel memory
Famous Jailbreak tools that use Kernel Exploits
Exploits by Version
iPhone OS 1
iPhone OS 2
iPhone OS 3
- BPF_STX Kernel Write Exploit
- Malformed CFF Vulnerability
- IOSurface Kernel Exploit
- Packet Filter Kernel Exploit
iOS 4
- IOSurface Kernel Exploit
- Packet Filter Kernel Exploit
- HFS Legacy Volume Name Stack Buffer Overflow
- Packet Filter Kernel Exploit
- IOMobileFrameBuffer Privilege Escalation Exploit
- ndrv_setspec() Integer Overflow
iOS 5
iOS 6
- Shebang Trick
- IOUSBDeviceFamily Vulnerability
- ARM Exception Vector Info Leak
- Dynamic memmove() locating
- Kernel Memory Write via ROP gadget
- posix_spawn kernel information leak
- posix_spawn Kernel Exploit
- mach_msg_ool_descriptor_ts for heap shaping
iOS 7
iOS 8
- mach_port_kobject Exploit
- IOSharedDataQueue Notification Port Overwrite
- The kernel exploit used in the first Pangu jailbreak
- mach_port_kobject Exploit
- ptmx_get_ioctl Crafted Call
- Mach-O OSBundleHeaders Info Leak
- mach_port_kobject Exploit
- IOHIDFamily Kernel Exploit
- OSUnserialize Information Leak
- CVE-2016-4656
iOS 9
- IOHIDFamily Use-After-Free
- IOMobileFrameBuffer Exploit
- OSUnserialize Information Leak
- CVE-2016-4656
- mach_port_register Kernel Exploit
iOS 10
iOS 11
iOS 12
- voucher_swap
- SockPuppet
- cuck00 information leak
- AppleSPUProfileDriver information leak
- oob_timestamp