Preface: In iOS, the microkernel component (Mach) does not communicate with user space from a separate address space. Instead, it communicates directly within a unified kernel space alongside monolithic components, bypassing the traditional performance costs of a pure microkernel.

While iOS runs on an ARM-based architecture (Apple Silicon), its operating system core, XNU (“X is Not Unix”), is a hybrid kernel. It integrates the Mach microkernel with a monolithic BSD layer and the I/O Kitdriver framework into a single, highly privileged address space. 

Background: If a specific, complex code path inside a kernel subsystem utilizes an object but contains a logic error that forgets to call the appropriate reference increment function (e.g., ipc_port_reference()), the reference count drops to zero prematurely when another thread requests a deletion.

The Result: The kernel safely deletes the object according to its counters, but the flawed subsystem still holds a raw C pointer to that memory address. When the subsystem eventually attempts to write data to that pointer, it performs an out-of-bounds write into memory that may now contain entirely different data.

Vulnerability details: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or write kernel memory.

Official announcement: Please refer to the link for details – https://www.cve.org/CVERecord?id=CVE-2026-28972