DongHa Lee

Wrapped up BOB14 grabbed some bounty on the way. Not bad at all.

🍎 CVE-2026-28817 @G1uN4sh, with @4ncientH @leegn4a @DQPC_lover @R4mbb1 @gap_dev Discovered by BoB 0xb6 team.

🍎CVE-2026-28868 XNU :)

🍎CVE-2026-20695 XNU bug! [ZDI-CAN-28499]

@wh1te4ever Great work👍

I have posted a write-up for those who are interested in building virtual iPhone. If have any further questions, please feel free to reach out via DM, Thanks. github.com/wh1te4ever/sup…

Some demo about running Virtual iPhone using Apple Virtualization framework: youtu.be/3vvrU0YGKCQ

@MrKaLi176442 Varies case by case. Probably tied to the quarter cycle, so from my experience it can take up to ~6 months. I don’t know exactly though.😭

@gap_dev I reported a bug status was adressed but not received any bounty message. How much time need for bounty message after adressed?

Received $1,000 from Apple’s bug bounty program! Old report, but a nice surprise🎁

@MrKaLi176442 I reported this bug in June, received a CVE in October, and the bounty has now been addressed.

@gap_dev Congrats. How time to adressed to rewarded?

@tom_doerr is it stable?

Installs macOS on Proxmox VE github.com/luchina-gabrie…

Getting ready to try something academic🎓 tkips.kips.or.kr/digital-librar…

🤌🔥 "Build a Fake Phone, Find Real Bugs Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU" media.ccc.de/v/39c3-build-a…

On Apple Silicon, the GPU by default cannot use more than about 75% of the system's total memory, but you can change this setting easily. I use my own script for that and set it up to 98% on M3 Ultra 512GB. gist.github.com/ivanfioravanti…

I’m not affiliated with Talos. I’m an independent security researcher, so I don’t really know the details of the other bug. For my bug, I found it quite a while ago, and it looks like the credit process got missed after I reported it (it’s being sorted out now lol). As for exploitation: at least when I analyzed it back then, I didn’t see a viable way to get a shell. Even though it’s a stack overflow, I couldn’t find a memory layout that I could realistically overwrite in a useful way.

@gap_dev does the new binary also ship withouth pie ? since stack overflow u could technically redirect to the vuln section where u put ropchain there right to get shell ?

CVE-2025-23339 My first NVIDIA CVE🎉 (found via grammar-based fuzzing)

@f00fc7c800 Yep, it’s a stack overflow, but no shell😅 Not entirely sure where the line is drawn for calling this code execution

@gap_dev yo is it really a stack overflow ? that s nice did u manage to leverage it to shell ? i worked on something else on cuobjdump and didnt manage to get shell :/

@crypto_profit1 Issue will be open soon!

@gap_dev writeup or issue ?

CVE-2025-10500 (+15000 usd) When will they update my credit?😂

@_silgen_name 아하...그렇군요 답변 감사합니다!

@gap_dev 만약 Hypervisor가 있다고 해도 Entitlements가 있어야 해서 17.0.1 이상에서는 불가능하고요. developer.apple.com/documentation/…

iOS 19 AppleInternal은 Virtualization.framework가 있네