A new report details a critical vulnerability discovered by security researcher Joseph Goydish in Apple’s WebKit engine. This security flaw, if exploited in conjunction with other exploits, could allow attackers to execute arbitrary code on the latest iOS devices.
The flaw, identified as a dangerous integer overflow bug in iOS 26.2 , could also allow attackers to crash browsers. The discovery highlights the existence of this bug and its potential impact on device security.
The vulnerability stems from a classic software bug: an integer overflow. According to the report, the issue occurs when calculating memory limits for ArrayBuffer, TypedArray, and WebAssembly operations.
The security flaw affects the JavaScriptCore (JSC) engine, the core of Safari and all third-party browsers on iOS. Hackers could exploit this vulnerability, which represents a “deterministic primitive,” to conduct more dangerous attacks, despite Apple’s currently effective defenses.
“The vulnerability is due to an integer overflow when calculating memory offsets for TypedArray and DataView operations,” the analysis explains .
The vulnerability has been confirmed in iOS 26.2 (Build 23C55) running on an iPhone 14 Pro Max. The report suggests the impact is likely broader and could affect:
Goydish provided a proof of concept (PoC) demonstrating the flaw using just a few lines of JavaScript. By creating a DataView buffer and setting a specific Uint32 value, the code forces a 32-bit wraparound, triggering the crash.
For now, users are protected by Gigacage , WebKit’s security partitioning mechanism. When the overflow attempts to access memory outside the allowed 16GB partition, Gigacage detects the violation and immediately terminates the WebContent process.
When the system multiplies an index by the size of an element, the result can “hang around the 32-bit boundary.” This mathematical error confuses the system, allowing an attacker to request a memory address that technically passes the initial check but points to a location well outside the safe zone.
While this prevents immediate execution of malicious code, it causes a persistent denial of service (DoS), causing the browser or embedded web views to immediately crash.
However, the report warns that this safety net is not invincible. “If Gigacage were bypassed or its base address leaked, this vulnerability would enable relative memory corruption,” allowing attackers to manipulate objects adjacent to the overflowed buffer.
In the worst case, this could lead to remote code execution (RCE) via “Vtable Hijacking” , where attackers corrupt virtual function pointers to take control of the device’s instruction pointer.
“Gigacage currently prevents exploitation by terminating the process before memory corruption occurs,” the report concludes, but the presence of such a fundamental logic flaw serves as a stark reminder of the fragile mathematics underlying modern web security.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
