Hovav ShachamMar 19

Both first-stage bugs exploited by this chain are in JavaScriptCore. We should improve how we build JavaScript JITs somewhat.

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.

Google Cloud Blog
Show threadHovav Shacham

For those keeping track at home,

CVE-2025-31277: https://github.com/WebKit/WebKit/commit/716536ce98d6f8d40c44abed667b6a1970023e17
CVE-2025-43529: https://github.com/WebKit/WebKit/commit/b21a503b579a8ab14c839f82cc77176e507352e5

[JSC]ASSERTION FAILED: !needsSlowPutIndexing() at ensureArrayStorageSlow · WebKit/WebKit@716536c

https://bugs.webkit.org/show_bug.cgi?id=291745 rdar://149546458 Reviewed by Keith Miller. We should not create Contiguous array when have-a-bad-time happened for RegExp match results. * JSTests/...

GitHub
Mar 19 at 1:17amWeb