weightBufs is a chain of bugs inside the Apple Neural Engine that achieve kernel read/write primitives on iOS 15.0 - 15.5. It makes use of four vulnerabilities:
- CVE-2022-32845: aned signature check bypass for model.hwx.
- CVE-2022-32948:
DeCxt::FileIndexToWeight()
OOB Read due to lack of array index validation. - CVE-2022-42805:
ZinComputeProgramUpdateMutables()
potential arbitrary read due to Integer overflow issue. - CVE-2022-32899:
DeCxt::RasterizeScaleBiasData()
Buffer underflow due to integer overflow issue.
CVE-2022-32899 affects all versions of iOS 15. The other three CVEs were patched in iOS 15.6.