Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.
oobPCI
Vulnerability in XNU
SoftwareiOS
Vulnerable in15.0 - 15.4.1
Fixed in15.5
Disclosed16 May 2022 (2022-05-16)
Discovered byLinus Henze
CVECVE-2022-26763
Apple KBHT213258

CVE-2022-26763, also known as oobPCI, is a vulnerability in DriverKit that allows an attacker to read from and write to kernel memory, specifically in the IOPCIDevice class. This is due to an out-of-bounds read/write.

Taking a look at one of the vulnerable functions, it is easy to see how the bug works. IOPCIDevice::deviceMemoryWrite64 takes three parameters: a memory index, an offset, and the data to be written. The index specifies an index to a memory mapping, which is used as the base address for the write. Then, the offset is added to it and the data is written.

The vulnerability is that the offset is never validated, so an attacker can specify an offset that is so high it goes out of the PCI device memory region and into regular kernel memory. Thus, you can read and write to kernel memory this way.

This vulnerability is only exploitable if the binary has DriverKit entitlements, which are only provided to developer accounts with Apple's approval. Fugu15 and Dopamine use the CoreTrust Root Certificate Validation Vulnerability to obtain these entitlements.

External links