EIP-2026-103408

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-103408. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit targets a vulnerability in the userspace IODataQueue implementation within the io_hideventsystem MIG service. By manipulating shared memory fields (length, head, tail), an attacker can cause out-of-bounds enqueuing, leading to a crash in hidd or backboardd. The PoC includes a dylib to interpose mach_vm_map and modify the shared memory fields.

Description

Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdosmultiple

https://www.exploit-db.com/exploits/45648

View Code ZIP pw:eip

This exploit targets a vulnerability in the userspace IODataQueue implementation within the io_hideventsystem MIG service. By manipulating shared memory fields (length, head, tail), an attacker can cause out-of-bounds enqueuing, leading to a crash in hidd or backboardd. The PoC includes a dylib to interpose mach_vm_map and modify the shared memory fields.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: MacOS 10.13.6, iOS 11.3.1 (io_hideventsystem in IOKit.framework)

No auth needed

Prerequisites: Access to the target system · Ability to run the provided scripts and dylib

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem

Exploitation Summary

Description

Exploits (1)

Details