The iOS 26.2 Trap: New WebKit Integer Overflow Discovered with PoC—Is Your iPhone at Risk?

Security researcher Joseph Goydish has identified a critical vulnerability within Apple’s WebKit engine, exposing a flaw that could potentially allow attackers to crash browsers or—if chained with other exploits—execute arbitrary code on the latest iOS devices. The discovery, detailed in a new report, highlights a dangerous integer overflow bug in iOS 26.2.

The vulnerability affects the JavaScriptCore (JSC) engine, the heart of Safari and all third-party browsers on iOS. While Apple’s built-in defenses are currently holding the line, the flaw represents a “deterministic primitive” that hackers could leverage for more severe attacks.

The vulnerability stems from a classic software error: an integer overflow. According to the report, the issue occurs during the calculation of memory bounds for ArrayBuffer, TypedArray, and WebAssembly operations.

“The vulnerability is rooted in an integer overflow during the calculation of memory offsets for TypedArray and DataView operations,” the analysis explains.

When the system multiplies an index by an element size, the result can “wrap around at the 32-bit boundary”. This mathematical error confuses the system, allowing an attacker to request a memory address that technically passes the initial check but points to a location far outside the safe zone.

For now, users are protected by Gigacage, WebKit’s security partitioning mechanism. When the overflow attempts to access memory outside the permitted 16GB partition, Gigacage detects the violation and immediately terminates the WebContent process.

While this prevents immediate malicious code execution, it results in a persistent Denial of Service (DoS), causing the browser or embedded web views to crash instantly.

However, the report warns that this safety net isn’t invincible. “Should the Gigacage be bypassed or its base address leaked, this vulnerability enables Relative Memory Corruption,” allowing attackers to manipulate objects adjacent to the overflowed buffer.

In a worst-case scenario, this could lead to Remote Code Execution (RCE) via “Vtable Hijacking,” where attackers corrupt virtual function pointers to seize control of the device’s instruction pointer.

The vulnerability has been confirmed on iOS 26.2 (Build 23C55) running on an iPhone 14 Pro Max. The report suggests the impact is likely broader, potentially affecting:

• All iOS 26.x releases
• macOS Sequoia 15.x
• All third-party iOS browsers (since they must use the WKWebView engine).

Goydish provided a Proof of Concept (PoC) demonstrating the flaw using just a few lines of JavaScript. By creating a DataView buffer and setting a specific Uint32 value, the code forces the 32-bit wrap-around, triggering the crash .

“The Gigacage currently prevents exploitation by terminating the process before memory corruption occurs,” the report concludes, but the presence of such a fundamental logic flaw serves as a stark reminder of the fragile math underpinning modern web security.

Related Posts:

• Urgent: Apple Patches Two Critical WebKit Zero-Days Under Active Exploitation Against High-Risk Targets
• Pwn2Own: Firefox Hacked with JavaScript Zero-Days – Details on the Exploits
• VirtualBox VM Escape: Integer Overflow Flaw Allows Full Host Takeover, PoC Published
• Apple Patches Three Zero-Day Security Vulnerabilities Exploited in the Wild