Kernel memory corruption in Apple operating systems

This repository is a standalone exploit research repo for CVE-2026-20698, a heap buffer overflow in Apple XNU routing socket handling of RTA_GENMASK via PF_ROUTE. It is not part of a larger exploit framework. The code demonstrates that an unprivileged local process can open a PF_ROUTE raw socket and send crafted RTM_GET routing messages containing RTA_DST and RTA_GENMASK sockaddrs to trigger vulnerable kernel processing in rn_addmask()/routing socket code, resulting in a reliable kernel panic and device reboot on vulnerable iOS/macOS versions prior to 26.4. Repository structure: the core PoC is pf_route_crash.c, a minimal trigger program. variant_probe.c is a broader harness that tests combinations of routing address flags, multiple RTM_* message types, varying sockaddr lengths, and checks returned data for possible leaks or kernel pointer artifacts. family_probe.c focuses on crash behavior across address families and safe/unsafe sa_len ranges, including post-stress validation. single_family.c isolates one family/length pair for targeted testing. genmask_escalate.c is not a working privilege-escalation exploit; it is an exploratory fuzzing/analysis tool that varies genmask length and inspects responses for corruption or pointer disclosure. route_26_4_variants.c tests patched behavior on iOS 26.4, including alternate route operations and sysctl-based route dump paths. variant_26_4_test.m wraps similar tests in a UIKit iOS app for on-device validation from an app context. README.md and APPLE_SUBMISSION.md document the vulnerability, affected versions, crash variants, and disclosure details. Main exploit capability: reliable local denial of service against vulnerable Apple devices by causing a kernel panic through malformed PF_ROUTE messages. The repo repeatedly uses destination IP 8.8.8.8 as a benign route lookup target and crafts genmask sockaddrs with attacker-controlled family and sa_len values. The documented severe variants include AF_UNIX and AF_LINK with minimal sa_len values, plus AF_INET/AF_INET6 boundary cases. Although the documentation discusses theoretical potential for memory corruption and kernel code execution on kernels lacking bounds-safety mitigations, no weaponized RCE or privilege-escalation payload is present. Overall maturity is best classified as POC/research-grade exploit code with extensive variant analysis rather than an operational post-exploitation tool.