IOHIDFamily memory corruption leading to app termination
CVE-2026-28992 is a memory corruption vulnerability in Apple's IOHIDFamily component. Apple states the issue was addressed with improved locking, indicating a concurrency/locking flaw that could lead to memory corruption during IOHIDFamily operations. The vendor describes the resulting impact as unexpected app termination. The issue was fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Apple credits Johnny Franks (@zeroxjf).
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains two standalone Xcode iOS application PoCs targeting CVE-2026-28992 in Apple IOHIDFamily, specifically IOHIDEventServiceFastPathUserClient. It is not part of an exploit framework. The repo structure is split into two app projects: UAFPoc/ for a kernel use-after-free/copyEvent race and AOPPanicPoc/ for an AOP/SPU panic via termination race and mailbox saturation. Most files are standard Xcode scaffolding (AppDelegate, SceneDelegate, storyboards, plist, assets); the substantive exploit logic is concentrated in AOPPanicPoc/AOPPanicPoc/ViewController.m, while README.md and report.txt document both bugs in detail. Core capability: from a normal sandboxed iOS app with no special entitlements, the code dynamically uses IOKit APIs to locate/open IOHIDEventService with IOServiceOpen(..., type=2), creating IOHIDEventServiceFastPathUserClient connections. The exploit abuses an authorization bypass by supplying XML properties FastPathHasEntitlement and FastPathMotionEventEntitlement to selector 0 (open), which the vulnerable gate incorrectly trusts. After bypassing the gate, the PoCs create high-frequency connection lifecycle races using IOConnectCallMethod selector 0/1 and mach_port_destroy or mach_port_destruct to trigger asynchronous teardown paths. The documented UAF vector uses multiple connections to the same provider so that close/terminate frees provider-side objects while concurrent open/copyEvent activity iterates shared collections under inconsistent locking, producing a kernel UAF and panic/reboot. The AOP panic vector repeatedly opens and destroys gated connections to SPU-backed providers, saturating the outbox and causing an AOP firmware assertion and device reboot. No remote C2, network scanning, or external callback infrastructure is present; this is a local denial-of-service/kernel crash PoC rather than a code-execution implant. The exploit appears to be proof-of-concept quality: reliable enough to reproduce crashes on listed test devices, but focused on panic/reboot rather than privilege escalation or a post-exploitation payload.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A denial-of-service style vulnerability in IOHIDFamily that may allow an attacker to cause unexpected app termination.
A memory corruption vulnerability in macOS Tahoe that may allow an attacker to cause unexpected app termination.
A memory corruption vulnerability in macOS Sonoma that may allow an attacker to cause unexpected app termination.
A memory corruption vulnerability that could allow an attacker to cause unexpected app termination.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.