Memory corruption in AppleJPEG media file processing

This repository is a compact local macOS exploit PoC for an AppleJPEGXL use-after-free, identified in comments as CVE-2026-28956. It is not part of a common exploit framework. The structure is simple: README.md is a minimal pointer to an external write-up; cgimagesource.m is the main trigger program; interpose_free.c is an exploit-assistance DYLD interposer that hooks free() to poison freed AppleJPEGXL buffers; and interpose_profile.c is a profiling interposer that logs malloc/free activity from AppleJPEGXL for heap analysis. The main PoC in cgimagesource.m is an Objective-C command-line program that accepts a crafted .jxl file, loads it into NSData, creates a CGImageSource via CGImageSourceCreateWithData, iterates images, and forces full pixel decoding by drawing each image into a bitmap context. This is explicitly intended to exercise the same ImageIO/CoreGraphics decode path used by Safari/WebContent and other Apple applications such as Mail and Preview. The vulnerability is triggered when the image source is released, causing AppleJPEGXL's JxlDecoderDestroy path to execute and hit the use-after-free. The code also disables GPU acceleration before triggering, likely to stabilize the software decode path. interpose_free.c materially increases exploit capability beyond a bare crash PoC. It uses DYLD interposition to replace free() for frees originating from AppleJPEGXL. In default "regctl" mode, it fills freed buffers with the ASB target value read from commpage memory, aiming to influence crash-state registers and demonstrate register control. In "arbrw" mode, enabled by ASB_MODE=arbrw, it fills freed memory with the ASB target address so later dereferences by framework code can demonstrate arbitrary read/write-oriented behavior. The comments explain the intended destructor behavior and how crafted pointer placement can induce reads and writes relative to the ASB target address. This makes the repository more than a simple detector: it is an operational exploitability demonstration toolkit. interpose_profile.c is a supporting analysis tool rather than the primary exploit. It hooks malloc() and free(), but only logs operations whose callers resolve to AppleJPEGXL. This helps characterize heap layout and call sites during decoding, with output suitable for parsing by a mutation or test harness. Overall, the repository’s purpose is to demonstrate local reachability and exploitability characteristics of an AppleJPEGXL UAF through the ImageIO decode pipeline using a malicious JPEG XL file, with additional tooling to capture Apple Security Bounty target flags, influence freed memory contents, and profile allocator behavior.