Use-after-free in AppleKeyStore

This repository is a standalone proof-of-concept for CVE-2026-20637, a use-after-free in AppleKeyStore/AppleSEPKeyStore affecting documented iOS and macOS versions 26.1–26.2 and patched in 26.3. The exploit is not part of a framework. Its purpose is to reliably reproduce the bug and crash the target system via a local race condition in the IOKit user client interface. Repository structure: the root contains README.md, LICENSE, a standalone command-line PoC in poc.m, and an iOS Xcode application under ios-app/Test.xcodeproj with standard UIKit scaffolding (AppDelegate, SceneDelegate, ViewController, storyboard/assets files). The real exploit logic exists in two places: poc.m for a direct Objective-C command-line style PoC, and ios-app/Test/ViewController.m for a button-triggered iOS app version. The remaining files are project metadata and default app boilerplate. Exploit behavior: both implementations target the IOKit service named "AppleKeyStore". They obtain the service handle with IOServiceGetMatchingService(IOServiceMatching("AppleKeyStore")), then create a race around a shared atomic io_connect_t. Eight caller threads continuously invoke IOConnectCallMethod on selectors 0 through 15 using a fixed scalar input array, while four closer threads repeatedly call IOServiceClose on the same connection and clear the shared handle. Meanwhile, the main thread rapidly performs 100,000 IOServiceOpen calls using rotating client types 0x2022, 0xbeef, 0x1337, and 0x4141, storing each new connection into the shared atomic variable with no delay. This creates a timing window where the driver's IOCommandGate is used after being freed. Capabilities: the code demonstrates local kernel denial-of-service only. It can induce unexpected system termination/kernel panic on vulnerable devices, which aligns with the vendor advisory. There is no shellcode, no network communication, no persistence, no credential theft, and no privilege-escalation or arbitrary code execution logic in the repository. Operational notes: the iOS app requires a physical device because the simulator does not reach the target driver. The README explicitly warns that running the PoC will kernel panic the device and may risk filesystem corruption if repeated. The included panic log references "element modified after free" in iokit.IOCommandGate and the com.apple.driver.AppleSEPKeyStore extension, supporting that this is a genuine crash-triggering exploit PoC rather than a detector.

Repository contains a local Objective-C proof-of-concept for CVE-2026-20637, a use-after-free race in AppleKeyStore / AppleSEPKeyStore. The exploit does not target a network service; it is a local denial-of-service PoC that repeatedly opens AppleKeyStore user clients, has 8 worker threads invoke IOConnectCallMethod across selectors 0-15, and 4 concurrent threads call IOServiceClose on the same connection to race the IOCommandGate lifecycle and trigger a kernel panic. Structure: (1) README.md documents the vulnerability, affected versions, expected panic, and high-level exploit logic. (2) poc.m is a standalone command-line PoC for iOS/macOS using Foundation, IOKit, Mach, pthreads, and C11 atomics. (3) ios-app/Test is an Xcode iOS application wrapping the same race in a simple UI with a button labeled 'UAF RACE'; the main exploit logic is in ios-app/Test/ViewController.m. Remaining files are standard Xcode project, storyboard, plist, and app delegate scaffolding. Main exploit capability: induce unexpected system termination by racing IOServiceOpen, IOConnectCallMethod, and IOServiceClose against the AppleKeyStore service. The code cycles client types 0x2022, 0xbeef, 0x1337, and 0x4141 over 100,000 iterations, stores the active io_connect_t in an atomic global, and uses tight loops with no delay to maximize the race window. There is no post-exploitation payload, persistence, data theft, or remote communication. This is a crash-focused PoC demonstrating kernel memory-safety impact rather than weaponized exploitation.