CVE-2026-28992

MEDIUM

iOS and iPadOS < 18.7.9 - Denial of Service via Memory Corruption

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-28992. PoCs published by zeroxjf.

AI-analyzed exploit summary The repository contains functional exploit code demonstrating two race conditions in IOHIDFamily's FastPathUserClient, leading to kernel panics via UAF and AOP panic mechanisms. The PoCs leverage improper locking and entitlement checks to trigger memory corruption.

Description

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An attacker may be able to cause unexpected app termination.

Exploits (1)

nomisec WORKING POC 8 stars

by zeroxjf · poc

https://github.com/zeroxjf/CVE-2026-28992-IOHIDFamily-FastPathUserClient-Race-Conditions

View Code ZIP pw:eip

The repository contains functional exploit code demonstrating two race conditions in IOHIDFamily's FastPathUserClient, leading to kernel panics via UAF and AOP panic mechanisms. The PoCs leverage improper locking and entitlement checks to trigger memory corruption.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Complex

Reliability

Racy

Target: Apple IOHIDFamily (iOS 26.5 and iPadOS 26.5)

No auth needed

Prerequisites: iOS/iPadOS device with vulnerable IOHIDFamily kext · ability to run sandboxed app

MITRE ATT&CK