Google Project Zero researcher Jann Horn uncovered a sophisticated **vulnerability** in Apple’s **macOS and iOS** that allows attackers to bypass **Address Space Layout Randomization (ASLR)**—a critical memory protection mechanism—by exploiting **pointer leaks in the NSKeyedArchiver serialization framework**. The flaw leverages Apple’s **Core Foundation framework**, specifically manipulating **NSDictionary hash tables** and the **CFNull singleton** to extract memory addresses through deserialization and re-serialization of attacker-controlled data. While no real-world exploitation was confirmed, the technique could enable **highly reliable ASLR bypasses**, paving the way for advanced memory corruption attacks. Apple patched the issue in its **March 31, 2025, security update**, but the vulnerability underscores risks in **pointer-based hashing** and **serialization security**. The attack requires an app to process malicious serialized data, exposing memory layout details without traditional exploits like buffer overflows. Though theoretical, it highlights systemic weaknesses in framework-level security designs, particularly in **legacy serialization mechanisms** used across Apple’s ecosystem.
TPRM report: https://www.rankiteo.com/company/apple
"id": "app1632416092925",
"linkid": "apple",
"type": "Vulnerability",
"date": "3/2025",
"severity": "25",
"impact": "",
"explanation": "Attack without any consequences: Attack in which data is not compromised"{'affected_entities': [{'industry': 'Technology',
'location': 'Cupertino, California, USA',
'name': 'Apple Inc.',
'size': 'Large (Multinational)',
'type': 'Corporation'}],
'attack_vector': ['Serialization Exploit',
'Pointer Leak',
'NSKeyedArchiver Manipulation',
'Hash Table Abuse'],
'customer_advisories': ['Users advised to update to latest macOS/iOS versions '
'post-March 2025'],
'date_publicly_disclosed': '2025-03-31',
'date_resolved': '2025-03-31',
'description': 'Google Project Zero researcher Jann Horn disclosed a '
'sophisticated vulnerability affecting Apple’s macOS and iOS '
'operating systems that demonstrates how attackers could '
'potentially bypass Address Space Layout Randomization (ASLR) '
'protections through an innovative exploitation of pointer '
'leaks in serialization processes. The vulnerability exploits '
'pointer-keyed data structures within Apple’s NSKeyedArchiver '
'serialization framework, creating a pathway for memory '
'address disclosure via legitimate application functionality. '
'The attack requires an application to deserialize '
'attacker-controlled data, re-serialize the resulting objects, '
'and return the serialized output to the attacker, revealing '
'critical memory layout information. The technique leverages '
'the CFNull singleton instance in Apple’s Core Foundation '
'framework, using pointer addresses as hash codes when custom '
'hash handlers are not implemented. While theoretical, this '
'could be integrated with other exploitation methods to '
'systematically defeat ASLR protections.',
'impact': {'brand_reputation_impact': 'Minimal (theoretical vulnerability '
'with no real-world exploitation)',
'systems_affected': ['macOS (theoretical)', 'iOS (theoretical)']},
'investigation_status': 'Resolved (Vulnerability patched; no real-world '
'exploitation identified)',
'lessons_learned': ['Pointer-based hashing in keyed data structures can '
'create unexpected information disclosure channels',
'Serialization frameworks require rigorous security '
'review for memory address leakage risks',
'ASLR bypass techniques can emerge from legitimate '
'framework functionality, not just coding errors',
'Proactive vulnerability research (e.g., Project Zero) is '
'critical for identifying theoretical attack vectors '
'before real-world exploitation'],
'motivation': ['Research', 'Theoretical Exploitation'],
'post_incident_analysis': {'corrective_actions': ['Updated Core Foundation to '
'prevent pointer address '
'leakage in hash tables',
'Modified NSKeyedArchiver '
'to disrupt '
'serialization-based '
'information disclosure',
'Enhanced security reviews '
'for framework-level '
'serialization mechanisms'],
'root_causes': ['Use of pointer addresses as hash '
'codes in Core Foundation when '
'custom hash handlers absent',
'Predictable memory patterns in '
'CFNull singleton instance',
'Information disclosure via '
'serialization/deserialization '
'cycles of NSDictionary objects',
'Lack of input validation for '
'attacker-controlled serialized '
'data']},
'recommendations': ['Avoid using object addresses as lookup keys in system '
'frameworks',
'Implement keyed hash functions to prevent pointer '
'equality oracles',
'Conduct security audits of serialization/deserialization '
'processes',
'Monitor for unusual patterns in serialized data payloads '
'(e.g., crafted NSDictionary structures)',
'Adopt memory-safe alternatives to pointer-based hashing '
'where possible'],
'references': [{'source': 'Google Project Zero Blog'},
{'source': 'Apple Security Release Notes (March 31, 2025)'}],
'response': {'communication_strategy': ['Security release notes (2025-03-31)'],
'containment_measures': ['Framework updates in March 2025 '
'security release'],
'incident_response_plan_activated': 'Yes (Apple internal '
'remediation)',
'remediation_measures': ['Avoided object addresses as lookup '
'keys in Core Foundation',
'Implemented keyed hash functions to '
'minimize pointer equality oracles',
'Updated NSKeyedArchiver serialization '
'mechanisms'],
'third_party_assistance': 'Google Project Zero (research '
'disclosure)'},
'stakeholder_advisories': ['Apple Security Release Notes'],
'title': 'Apple macOS/iOS ASLR Bypass Vulnerability via NSKeyedArchiver '
'Serialization',
'type': ['Vulnerability Disclosure', 'Information Disclosure', 'ASLR Bypass'],
'vulnerability_exploited': 'CVE-Unassigned (ASLR Bypass via NSKeyedArchiver '
'Serialization Pointer Leak)'}