CVE-2017-13865 + CVE-2017-13861 ? May lead the way for an iOS Jailbreak Exploit

CVE-2017-13865 is a kernel flaw that allows an application to read restricted memory, and CVE-2017-13861, a weakness in IOSurface that can be leveraged to execute arbitrary code with kernel privileges. Both security holes were already patched by Apple in early December with the release of iOS 11.2.


Google Project Zero researcher Ian Beer has released the exploit in an effort to help security researchers analyze Apple devices by running their own tools. His exploit was tested on iPhone 7, iPhone 6s and iPod Touch 6G running on iOS 11.1.2 he believes support can easily be added for other devices.

How does it work?

The researcher’s exploit targets task_for_pid 0 (tfp0), a function that provides access to the kernel task port and which can be useful for jailbreaking, and a local kernel debugger.

What’s next?

The vulnerabilities necessary for a jailbreak have become increasingly difficult to find and Apple has implemented many of the features that in the past required third-party apps and jailbroken devices.

Many users are hoping to see an iOS 11 jailbreak in the coming weeks, the thing is that Apple might fix it anyway with another update.


  • iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules (
  • Pangu9

2 replies on “CVE-2017-13865 + CVE-2017-13861 ? May lead the way for an iOS Jailbreak Exploit”

I think you mix some things here, the CIA/FBI copies your whole phone data to their own hdd/ssd. There is not really a exploit or hack needed, because usually only a PIN, fingerprint or Face is needed to unlock your device and then they can make a 1:1 data dump.

The only difference here is when you use encryption they can’t see the data they copied here directly without the need to decrypt the data first. In general, whenever there is an exploit and it got fixed and you update your device/OS to fix it you can’t use exactly the same exploit.

However this is not really about my article, in my article I meantion that there will be (maybe) an jailbreak very soon – but as the same time I mentioned that it’s getting harder and harder to find holes (also on Android) because of the restrictions from Apple, Google,…



If your iphone is hacked by the state, and apple patches the exploit they used. And you were somehow able to update your phone normally, is it possible for them to still have your phone hacked? After the first vulnerability is patched? I’m thinking yes. So probably once you’re hacked you’ll be ownt for a long time.


Comments are closed.