A critical vulnerability in Apple’s macOS kernel (XNU), tracked as CVE-2025-24118, has been disclosed, potentially allowing attackers to escalate privileges, corrupt memory, and even execute kernel-level code.
The flaw, affecting macOS Sonoma versions earlier than 14.7.3, macOS Sequoia versions earlier than 15.3, and iPadOS versions earlier than 17.7.4, was discovered by Joseph Ravichandran (@0xjprx), a security researcher at MIT CSAIL.
Alongside the disclosure, the researcher also released a Proof-of-Concept (PoC) exploit to demonstrate the issue.
The vulnerability arises from a race condition in Apple’s XNU kernel, specifically involving the interaction of Safe Memory Reclamation (SMR), read-only page mapping, per-thread credentials, and the unsafe use of the memcpy function.
This combination allows unauthorized modification of process credentials, leading to privilege escalation.
Safe Memory Reclamation (SMR)
SMR is an algorithm used to reclaim memory while preventing use-after-free attacks. It was recently introduced into parts of the XNU kernel, including the process credential structure.
SMR ensures that writers serialize their updates while readers access consistent data through critical sections.
However, improper synchronization during credential updates creates a race condition when non-atomic writes are performed on SMR-protected pointers.
Read-Only Pages in XNU
XNU uses APIs like zalloc_ro for allocating read-only objects and zalloc_ro_mut for modifying them. Internally, zalloc_ro_mut relies on memcpy, which is not atomic on x86_64 architectures (rep movsb copies bytes sequentially).
This introduces a risk where partially updated pointers can be read during concurrent writes.
Per-Thread Credentials
The kernel uses a shared credential structure (ucred) to manage security-related fields like user IDs and group IDs for threads. These credentials are stored in an SMR hash table to save memory by sharing identical credentials across threads.
However, improper updates to the proc_ro.p_ucred pointer (which references credentials) can lead to corruption or privilege escalation.
The Race Condition
The bug lies in the function kauth_cred_proc_update, which updates the proc_ro.p_ucred pointer using the non-atomic function zalloc_ro_mut.
During concurrent reads and writes of this pointer, a partially written value may be dereferenced, pointing to an unintended credential object or causing a kernel panic.
The improper use of zalloc_ro_mut instead of an atomic write function creates the race condition.
Proof-of-Concept (PoC) Exploit
Ravichandran’s PoC demonstrates how this vulnerability can be exploited by repeatedly toggling group IDs (setgid) while concurrently reading them (getgid).
The exploit triggers a race condition that corrupts the credential pointer:
When executed with multiple threads, this PoC can cause either a kernel panic or unauthorized credential modification.
Apple has not yet released patches for this vulnerability as of writing. Users are advised to avoid running untrusted code and monitor for security updates.
The researcher suggests replacing non-atomic writes with atomic operations when updating SMR-protected pointers like proc_ro.p_ucred. This would prevent partially written values from being read during concurrent operations. This vulnerability highlights the risks of improper synchronization in modern kernels.
Until Apple releases patches for affected systems (macOS Sonoma < 14.7.3, macOS Sequoia < 15.3, iPadOS < 17.7.4), users should exercise caution and avoid running untrusted software on their devices.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free