CVE-2015-7084

Apple iOS <9.2, macOS <10.11.2, tvOS <9.1, watchOS <2.1 - Memory Corruption in Kernel

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-7084. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a kernel race condition in IORegistryIterator::reset() on OS X, leading to use-after-free and RIP control via heap manipulation. It leverages OSUnserializeXML to place controlled data on the freelist, enabling arbitrary code execution in the kernel.

Description

The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-7083.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdososx
https://www.exploit-db.com/exploits/39357

This exploit demonstrates a kernel race condition in IORegistryIterator::reset() on OS X, leading to use-after-free and RIP control via heap manipulation. It leverages OSUnserializeXML to place controlled data on the freelist, enabling arbitrary code execution in the kernel.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apple OS X (XNU kernel)
No auth needed
Prerequisites: Local access to the target system · Ability to execute arbitrary code in userspace
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · cdosmultiple
https://www.exploit-db.com/exploits/39366

This exploit demonstrates a race condition in the IORegistryIteratorExitEntry function in OS X and iOS kernels, leading to a double-free vulnerability. The PoC uses multithreading to trigger the race condition, potentially causing kernel memory corruption.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Racy
Target: Apple OS X and iOS (tested on El Capitan 10.10.1)
No auth needed
Prerequisites: Access to a vulnerable OS X or iOS system · Kernel zone poisoning and corruption checks enabled (-zc and -zp boot args)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205635
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205637
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034344
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Dec/msg00002.html
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Dec/msg00005.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39357/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/78719
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39366/
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205641
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205640
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Dec/msg00001.html

Scores

EPSS 0.0034
EPSS Percentile 56.8%

Details

CWE
CWE-119
Status published
Products (4)
apple/iphone_os < 9.1
apple/mac_os_x < 10.11.1
apple/tvos < 9.0
apple/watchos < 2.0
Published Dec 11, 2015
Tracked Since Feb 18, 2026