Apple’s macOS Kernel Vulnerability (CVE-2025-24118) Exposes Users to Privilege Escalation Attacks – PoC Released

A critical privilege escalation vulnerability in Apple’s macOS kernel has been revealed, posing a significant risk to users.

The flaw, identified as CVE-2025-24118, affects multiple versions of macOS, iPadOS, and macOS Sequoia.

Security researcher Joseph Ravichandran (@0xjprx) from MIT CSAIL brought this issue to light, demonstrating how a race condition in the macOS XNU kernel could lead to memory corruption and potentially allow attackers to execute code with kernel-level privileges.

A Proof-of-Concept (PoC) has been publicly disclosed, increasing urgency for users to patch their systems.

Affected Systems

The CVE-2025-24118 vulnerability impacts the following versions:

• macOS Sonoma versions below 14.7.3
• macOS Sequoia versions below 15.3
• iPadOS versions below 17.7.4

Apple has since released updates to address this vulnerability in macOS 15.3 (released on January 27, 2025) and associated operating systems. Users are urged to update their devices immediately to mitigate the risk.

A Complex Web of Kernel Features

The vulnerability arises from the intricate interaction of several state-of-the-art features in the XNU kernel:

1. Safe Memory Reclamation (SMR): SMR is designed to reclaim memory without locking and prevent use-after-free exploits. However, flaws in its implementation for handling sensitive process data made it susceptible to race conditions.
2. Read-Only Pages in XNU: The kernel protects critical data, such as process credentials, by mapping them to read-only memory pages. Modifications are restricted to specific APIs, such as zalloc_ro_mut. However, the improper use of non-atomic operations during updates exposed this feature to race conditions.
3. Per-Thread Credentials: The XNU kernel uses shared credentials to minimize memory overhead. Sensitive fields like uid_t (user IDs) are stored in credential structures (struct ucred), which are referenced and updated by multiple threads. Under certain conditions, improper synchronization when updating these pointers led to the bug.

The vulnerability occurs during updates to the p_ucred field, a process credential pointer safeguarded by SMR.

Specifically, the unsafe use of the non-atomic function zalloc_ro_mut during the update of this field bypassed atomicity requirements, introducing a race condition. Attackers could exploit this bug by corrupting p_ucred to point to invalid or privileged credentials.

PoC and Exploit Mechanism

The Proof-of-Concept (PoC) by Ravichandran demonstrates how to exploit the race condition using concurrent operations. The attack involves two threads:

• A Writer Thread continually updates the process credentials (e.g., via rapid setgid calls to switch between user group IDs).
• A Reader Thread repeatedly accesses the p_ucred field during these updates.

This creates a race condition where the reader thread can encounter partially updated credential pointers, potentially leading to memory corruption or privilege escalation. Below is a snippet of PoC code used to trigger the bug:

// Writer thread: rapidly switches GIDs
while (true) {
    setgid(real_gid);  // Set to real GID
    setgid(effective_gid);  // Switch to effective GID
}
// Reader thread: repeatedly calls getgid to observe race
volatile gid_t tmp;
while (true) {
    tmp = getgid();  // Access ucred field
}

When the race is won, the p_ucred pointer is corrupted to reference an invalid memory address, a different credential, or even a higher-privileged credential.

This could crash the system, silently corrupt process permissions, or elevate privileges—depending on the outcome.

If exploited, CVE-2025-24118 could allow an unprivileged attacker to escalate privileges, potentially gaining kernel-level access.

This makes the vulnerability a severe concern for systems running on affected versions, especially in enterprise environments or shared systems.

The PoC highlights the complexity of modern kernel features and the challenges of ensuring synchronization in concurrent environments.

While the bug primarily affects Intel-based macOS systems, its impact on ARM-based systems (e.g., Apple Silicon) remains under investigation.

Apple has addressed the issue in macOS 15.3, macOS Sonoma 14.7.3, and iPadOS 17.7.4.

The fix involves replacing non-atomic writes (zalloc_ro_mut) with atomic operations (zalloc_ro_mut_atomic) for the p_ucred field, ensuring proper synchronization. Users and organizations are strongly advised to:

• Update to the latest versions of macOS and iPadOS to patch the vulnerability.
• Avoid running unverified binaries or granting excessive permissions to untrusted applications.

CVE-2025-24118 serves as a reminder of the persistent challenges in securing modern kernels against concurrency flaws.

While Apple has swiftly addressed the bug, the disclosure of a PoC underscores the need for vigilance.

Users should act promptly to update their systems and protect sensitive data from potential exploitation.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free