CVE-2016-1828

HIGH

Apple iOS <9.3.2, OS X <10.11.5, tvOS <9.2.1, watchOS <2.2.1 - RCE/DoS

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2016-1828. PoCs published by Brandon Azad, bazad, SideGreenHand100.

AI-analyzed exploit summary This is a writeup describing the rootsh exploit, which targets CVE-2016-1758 and CVE-2016-1828 for local privilege escalation on OS X Yosemite 10.10.5. It explains the vulnerabilities and provides context but does not include actual exploit code.

Description

The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2016-1827, CVE-2016-1829, and CVE-2016-1830.

Exploits (4)

exploitdb WRITEUP

by Brandon Azad · localosx

https://www.exploit-db.com/exploits/44239

View Code ZIP pw:eip

This is a writeup describing the rootsh exploit, which targets CVE-2016-1758 and CVE-2016-1828 for local privilege escalation on OS X Yosemite 10.10.5. It explains the vulnerabilities and provides context but does not include actual exploit code.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: OS X Yosemite 10.10.5 build 14F27

No auth needed

Prerequisites: Access to a vulnerable OS X Yosemite 10.10.5 system · SMAP must be disabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 86 stars

by bazad · poc

https://github.com/bazad/rootsh

View Code ZIP pw:eip

This repository contains a functional local privilege escalation exploit for CVE-2016-1828, targeting OS X Yosemite 10.10.5. It leverages a use-after-free vulnerability in OSUnserializeBinary to achieve kernel code execution via ROP, combined with an info leak (CVE-2016-1758) to bypass KASLR.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Apple OS X Yosemite 10.10.5 (build 14F27)

No auth needed

Prerequisites: 32-bit process execution environment · SMAP disabled · Access to /System/Library/Kernels/kernel

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by SideGreenHand100 · poc

https://github.com/SideGreenHand100/bazad5

View Code ZIP pw:eip

The repository contains only a minimal README with a brief description of a local privilege escalation exploit for OS X 10.10.5 via CVE-2016-1828, but no actual exploit code or technical details.

Classification

Stub 90%

Attack Type

Lpe

Complexity

Theoretical

Reliability

Theoretical

Target: OS X 10.10.5

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by berritus163t · poc

https://github.com/berritus163t/bazad5

View Code ZIP pw:eip

The repository contains only a minimal README with a brief description of CVE-2016-1828 but no actual exploit code or technical details. It lacks functional PoC or analysis.

Classification

Stub 90%

Attack Type

Lpe

Complexity

Theoretical

Reliability

Theoretical

Target: OS X 10.10.5

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →