Safety researchers at Paradigm Shift have revealed a working exploit, dubbed usbliter8, that achieves arbitrary code execution contained in the SecureROM of Apple’s A12 and A13 chips.
That code is burned into the silicon at manufacture. No software program replace can attain it. Affected units will carry this flaw for so long as they keep in use.
This isn’t a distant assault. It requires bodily possession of the gadget, which have to be in DFU mode and related through USB to a devoted RP2350-based microcontroller board. With that setup, the exploit finishes in beneath two seconds, earlier than Apple’s signed boot chain masses.
The complete technical write-up and a working proof of idea went public on June 18, 2026, following coordinated disclosure with Apple Product Safety.
Affected Gadgets
The general public PoC helps A12, A13, S4, and S5 SoCs. A12X and A12Z assist is described as theoretically doable however not but carried out.
Machine households in that vary embody the iPhone XS, XS Max, and XR; the iPhone 11, 11 Professional, 11 Professional Max; the iPhone SE (2nd technology); the iPad Air third gen, iPad mini fifth gen, and iPad eighth gen; Apple Watch Sequence 4 and 5; the first-generation Apple Watch SE; the HomePod mini; and different Apple merchandise constructed on these chips. A11 is just not affected. A14 and later look like out of attain for this exploit path.
The Bug
The basis challenge is a {hardware} flaw within the Synopsys DWC2 USB controller.
The controller shops incoming USB Setup packets through DMA, buffers as much as three, then resets its write pointer on the fourth by decrementing it by a set 24 bytes. It additionally accepts smaller-than-standard packets, incrementing the pointer solely by the precise bytes written. That mismatch accumulates right into a repeatable buffer underflow, stepping the write pointer backwards by way of reminiscence 12 bytes at a time.
What makes this exploitable on A12 and A13 is how Apple configures the USB DART (Machine Deal with Decision Desk, the chip’s IOMMU) inside SecureROM. On affected units, it runs in bypass mode, so the underflowing DMA pointer can attain and overwrite arbitrary SRAM.
A11 is just not affected as a result of its USB driver manually resets the DMA handle after each packet, so the mismatch by no means accumulates. A14 and later seem to configure DART appropriately, which Paradigm Shift says makes the vulnerability unexploitable on newer {hardware}.
Getting Code Execution
On A12, the DMA buffer sits adjoining to the USB process’s stack on the heap. Overwriting a saved hyperlink register palms the attacker program counter management on the subsequent context swap.
A13 is tougher. Pointer Authentication (PAC) protects stack-stored return addresses. Paradigm Shift bypassed it in phases. Corrupting DART-related heap buildings created restricted write primitives. Overwriting the panic depth counter made the chip loop on errors as a substitute of rebooting. Cautious DMA write timing averted clobbering the USB process’s saved registers.
The ultimate step overwrote the USB interrupt handler pointer in BSS. The following USB interrupt then ran attacker-supplied code. Both path ends with execution at EL1, the chip’s privileged mode, inside SecureROM.
What an Attacker Will get
Submit-exploitation, usbliter8 injects a customized USB request handler and stamps PWND:[usbliter8] into the gadget’s USB serial string. From there, an attacker can quickly demote the SoC’s manufacturing mode or boot a uncooked, unsigned iBoot picture with no signature checks, stepping outdoors Apple’s chain of belief totally.
The analysis doesn’t present a Safe Enclave compromise. Apple’s Safe Enclave is designed as a separate safety boundary, remoted from the applying processor. Paradigm Shift warns that BootROM-level management could open new routes for attacking it.
No Software program Patch
The closest public precedent is checkm8, the 2019 SecureROM exploit that completely put A5-through-A11 units outdoors Apple’s patch authority.
Like checkm8, usbliter8 requires bodily entry and DFU mode and can’t be closed with a firmware replace. usbliter8 extends that situation to the subsequent chip technology.
As of June 19, 2026, no CVE, CVSS rating, Apple safety advisory, or CISA alert had been issued, and no in-the-wild exploitation had been publicly reported.
For many customers, the sensible threat is low: an attacker wants the bodily gadget, the fitting cable, and the data to power DFU mode. For top-security environments, that is now a hardware-retirement and device-custody drawback.
If a tool runs one of many affected chips, the bodily boundary is completely gone; security will depend on controlling when and the place the gadget may be plugged in. Stock A12, A13, S4, and S5 {hardware} in delicate roles, prioritize refreshes towards A14 or newer, and keep away from DFU mode over untrusted USB cables or hosts.
The code is public. That’s often how exploit analysis stops being a demo and begins being another person’s software.
