Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighPublic exploit

Out-of-bounds read in Apple IOSurfaceAccelerator

IdentifiersCVE-2026-43655CWE-125· Out-of-bounds Read

CVE-2026-43655 is an out-of-bounds read vulnerability in Apple's IOSurfaceAccelerator component. Apple states the issue was addressed with improved bounds checking. Successful exploitation by a local app may trigger an invalid read in kernel-associated memory handling, leading to unexpected system termination or exposure of kernel memory contents. The issue was fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A malicious app may be able to cause unexpected system termination (kernel panic / denial of service) or read kernel memory. Kernel memory disclosure can weaken platform security boundaries by exposing sensitive kernel-resident data and may aid further exploitation.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce exposure by limiting installation and execution of untrusted or unnecessary apps, especially on affected Apple platforms. Enterprise controls such as application allowlisting, MDM-enforced software update compliance, and restricting local app execution can reduce exploit opportunity. No vendor-provided workaround beyond updating is described in the provided content.

Remediation

Patch, then assume compromise.

Apply the vendor fixes released by Apple in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5. Apple indicates the vulnerability was remediated through improved bounds checking in the affected component.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2026-43655-AppleM2ScalerCSCDriver-UAFMaturityPoCVerified exploit

Repository is a small, self-contained Objective-C proof-of-concept for CVE-2026-43655, an AppleM2ScalerCSCDriver / IOSurfaceAccelerator use-after-free reachable from a default iOS app sandbox. Structure is minimal: README.md provides the technical write-up and reproduction steps, ScalerTeardownUAF.m contains the full exploit logic and iOS UI wrapper, and entitlements.plist contains only get-task-allow for signing. The code is not part of a larger exploit framework. The main exploit flow is implemented in ScalerTeardownUAF.m inside UAFVC::runUAF. It obtains the AppleM2ScalerCSCDriver service with IOServiceGetMatchingService, opens a victim connection with IOServiceOpen, creates source and destination IOSurface objects, and submits a synchronous baseline request via IOConnectCallMethod selector 1. It then sets a victim marker value 0xDEAD0001 using selector 10, submits 50 asynchronous operations by setting TSD offset 0x008 to 1, and closes the victim connection with IOServiceClose. After teardown, it opens 50 replacement spray connections to the same driver, sets each spray connection marker to 0xBEEF0002 via selector 10, and repeatedly submits additional async operations to encourage allocator reuse and scheduler activity. The exploit capability is to reliably prime a stale scheduler entry in a shared kernel scheduler and demonstrate that the scheduler later dereferences freed-and-reused operation memory. The intended observable is a panic/reboot where register x9 contains 0xBEEF0002, proving the scheduler read replacement connection data rather than the original victim marker. The README further explains that the actual trigger may occur later when SpringBoard/compositor activity drives another scaler scheduling cycle, making this a cross-connection and potentially cross-process trigger condition. No network communication, remote C2, or external URLs are present. The relevant fingerprintable targets are local IOKit service names, bundle identifiers, and build/package file paths. Overall, this is a genuine local kernel crash/UAF reproduction PoC focused on demonstrating memory lifetime corruption rather than achieving privilege escalation or code execution.

SomisomairDisclosed Jun 21, 2026objective-cxmllocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AppleIosoperating_system
AppleIpadosoperating_system
AppleIphone Osoperating_system
AppleMacosoperating_system
AppleTvosoperating_system
AppleWatchosoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app
handlers diary fullNews
May 11, 2026
Apple Patches Everything - SANS Internet Storm Center

A vulnerability in IOSurfaceAccelerator that may allow an app to cause unexpected system termination or read kernel memory.

Read more
apple supportNews
May 11, 2026
About the security content of macOS Tahoe 26.5 - Apple Support (CA)

An out-of-bounds read vulnerability in macOS Tahoe that may allow an app to cause unexpected system termination or read kernel memory.

Read more
apple supportNews
May 11, 2026
About the security content of tvOS 26.5 - Apple Support

An out-of-bounds read vulnerability in Apple TV software that could cause system termination or allow reading kernel memory.

Read more
apple supportNews
May 11, 2026
About the security content of watchOS 26.5 - Apple Support

An out-of-bounds read vulnerability that could allow an app to crash the system or read kernel memory.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43655
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43655
MITRE CWE · CWE-125
Out-of-bounds Read
Vendor Advisory
support.apple.com/en-us/127110
Vendor Advisory
support.apple.com/en-us/127115
Vendor Advisory
support.apple.com/en-us/127118
Vendor Advisory
support.apple.com/en-us/127119