Trigon: A Newly Unveiled Exploit Targeting an iOS 0-Day Kernel Vulnerability

Security researchers have unveiled a sophisticated new kernel exploit targeting Apple iOS devices, named Trigon. This exploit takes advantage of a critical vulnerability in the XNU kernel’s virtual memory subsystem.

Linked to the Operation Triangulation spyware campaign—originally discovered by Kaspersky—Trigon grants attackers arbitrary kernel read/write capabilities without triggering kernel panics, a rare achievement in modern iOS exploitation.

Kernel Exploit Targeting iOS Devices

At the heart of Trigon is CVE-2023-32434, an integer overflow vulnerability in the mach_make_memory_entry_64 function of the XNU kernel.

First observed in the wild during Operation Triangulation, this flaw allows attackers to craft a malicious memory entry spanning 18,000 petabytes—far beyond physical device limitations—by exploiting an unchecked addition of user-controlled size and offset parameters.

Bypassing crucial sanity checks, this vulnerability enables attackers to map kernel memory into userspace, opening the door for further exploitation.

By supplying values such as size=0xFFFFFFFFFFFFC000 and offset=0x8000, the exploit triggers an integer overflow, effectively bypassing the boundary check.

Developed by Alfie CG with contributions from @staturnzz and @TheRealClarity, Trigon’s source code is publicly available on GitHub.

Exploit Chain and Technical Mechanics

Stage 1: Privileged Memory Entry Creation

The exploit initiates by crafting a parent memory entry within PurpleGfxMem, a restricted memory region typically reserved for GPU operations.

By constructing an IOSurface object with its IOSurfaceMemoryRegion property set to PurpleGfxMem, attackers circumvent XNU’s vm_page_insert_internal panic checks. This is possible because PurpleGfxMem entries do not enforce the internal flag required for standard allocations, allowing unrestricted physical memory mapping.

Stage 2: Physical Memory Mapping Primitive

With the oversized memory entry in place, Trigon maps arbitrary physical addresses into the attacker’s process using mach_vm_map.

By computing offsets relative to the iboot-handoff region—a bootloader-passed data structure in DRAM—the exploit dynamically determines the kernel slide and KTRR (Kernel Text Read-Only Region) boundaries.

On A10(X) devices, this process involves reading MMIO registers that store KTRR’s lower and upper limits, allowing the attacker to pinpoint the kernel’s Mach-O header.

Stage 3: Kernel Read/Write via IOSurface Spray

To bypass Page Validation Hash (PVH) protections, Trigon sprays thousands of IOSurface objects into physical memory.

The exploit locates non-page-table regions containing these sprayed objects by scanning the pv_head_table, a kernel structure responsible for tracking page types. Once identified, these surfaces are manipulated to construct forged task_t and proc_t structures, effectively granting root privileges and disabling sandboxing.

Currently, Trigon supports A10(X)-based devices (iPhone 7, iPad 6th Gen) running iOS 13–16.5.1. However, it does not work on A12+ (arm64e) or A11 SoCs due to hardware-enforced security features:

• Pointer Authentication Codes (PAC): Prevents traditional object corruption.
• Page Protection Layer (PPL) & Configurable TRR (CTRR): Lock down kernel pages, blocking physical reads.
• iBoot-handoff Region Restriction: On newer devices, this region is no longer mappable, making base calculations infeasible.

The deterministic nature of Trigon—achieving exploitation without memory corruption or race conditions—presents a unique challenge to Apple’s security model.

Though the vulnerability was patched in iOS 16.5.1, risks remain for jailbroken devices and unpatched enterprise fleets.

Security researchers highlight that KTRR/CTRR, once thought to be an impenetrable defense, now requires deeper integration with SoC-level MMU policies to prevent physical mapping exploits.

Meanwhile, the Kaspersky team, who first uncovered CVE-2023-32434 during Operation Triangulation, is preparing a detailed analysis of the arm64e-compatible exploit chain observed in real-world attacks.