CVE-2016-1720

HIGH

IOKit <9.2.1-10.11.3-9.1.1 - Privilege Escalation/DoS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-1720. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit triggers a kernel use-after-free (UaF) vulnerability in macOS by calling IOServiceClose on two threads simultaneously, leading to a race condition in the IOKit framework. It targets the IntelAccelerator service and demonstrates a denial-of-service (DoS) or potential privilege escalation via kernel memory corruption.

Description

IOKit in Apple iOS before 9.2.1, OS X before 10.11.3, and tvOS before 9.1.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · cdososx

https://www.exploit-db.com/exploits/39367

View Code ZIP pw:eip

This exploit triggers a kernel use-after-free (UaF) vulnerability in macOS by calling IOServiceClose on two threads simultaneously, leading to a race condition in the IOKit framework. It targets the IntelAccelerator service and demonstrates a denial-of-service (DoS) or potential privilege escalation via kernel memory corruption.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Racy

Target: macOS El Capitan 10.10.1 (15b42)

No auth needed

Prerequisites: macOS El Capitan 10.10.1 · IntelAccelerator service availability

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (12)

Core 12

Core References

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT206168

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT205731

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/135435/IOKit-Methods-Being-Called-Without-Locks-From-IOServiceClose.html

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT205729

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39367/

Exploit x_refsource_misc

https://code.google.com/p/google-security-research/issues/detail?id=597

Mailing List, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/Jan/msg00005.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1034736

Mailing List, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/Jan/msg00003.html

Mailing List, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html

Mailing List, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2016/Jan/msg00002.html

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT205732

Scores

CVSS v3 7.8

EPSS 0.0024

EPSS Percentile 47.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-119

Status published

Products (4)

apple/iphone_os < 9.2.1

apple/mac_os_x < 10.11.3

apple/tvos < 9.1.1

apple/watchos < 2.2

Published Feb 01, 2016

Tracked Since Feb 18, 2026