Cyber Security News

macOS NULL Pointer Dereference Vulnerability Allow Attackers Exploits Kernel

Historically, NULL pointer dereferences have been a significant vulnerability in operating systems, including macOS.

These occur when software attempts to access memory at address 0 via a NULL pointer, leading to potential crashes or, under certain conditions, exploitation by attackers.

In the past, attackers could exploit such vulnerabilities by mapping controlled memory at address 0, allowing them to execute arbitrary code in kernel mode.

Historical Exploitation Techniques

In older macOS versions, particularly on Intel architectures, attackers exploited NULL pointer dereferences by mapping fake objects at the NULL address in user space.

NULL PointerNULL Pointer
NULL Pointer Dereferences on Apple Silicon

This was possible with 32-bit binaries, where the page-zero reservation could be disabled, allowing memory allocation at address 0.

Notable examples include Piotr Bania’s exploit of an Intel graphics driver bug in 2016 and Luca Todesco’s “tpwn” exploit in 2015, which targeted OS X Yosemite.

According to Afine Report, these exploits often required bypassing protections like SMEP (Supervisor Mode Execution Prevention), which prevents the kernel from executing user-space memory.

However, Apple has significantly hardened macOS against such exploits.

Starting with OS X 10.11 (El Capitan), Apple introduced SMEP and other hardening measures, including System Integrity Protection (SIP).

By late 2016, Apple had effectively closed avenues for exploiting NULL pointer dereferences by adding NULL checks and improving state handling.

The removal of 32-bit process support in macOS 10.15 further eliminated the primary method for mapping the NULL page on Intel-based machines.

Modern Mitigations on Apple Silicon

The transition to Apple Silicon (ARM64 architecture) has introduced robust mitigations that render NULL pointer dereferences unexploitable.

On Apple Silicon, all user processes are 64-bit, and the kernel enforces strict NULL page mapping protections, ensuring that no memory is mapped at address 0 in user space.

The ARM64 architecture leverages features like Privileged Execute Never (PXN) and Privileged Access Never (PAN), which prevent the kernel from executing code from user-space pages and accessing user memory without explicit overrides.

Pointer Authentication Codes (PAC)

Additionally, Pointer Authentication Codes (PAC) on ARM64e architecture protect against pointer corruption by verifying cryptographic signatures on pointer values.

These enhancements make it extremely difficult for attackers to exploit NULL pointer dereferences on modern macOS systems.

Any attempt to do so would result in a fault rather than code execution, effectively halting potential exploits.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago