Google Project Zero Researcher Details Exploitation of macOS CoreAudio Type Confusion Vulnerability (CVE-2024-54529)

A Google Project Zero researcher has detailed the exploitation of vulnerability CVE-2024-54529, a type confusion flaw affecting the Mach service com.apple.audio.audiohald within the CoreAudio framework used by the coreaudiod daemon on macOS. Several Mach message handlers, such as _XIOContext_Fetch_Workgroup_Port, retrieve a HALS_Object from an Object Map without type validation, assuming it is an ioct object. The exploitation enables control flow hijacking via a controlled pointer chain, leading to a virtual call on an arbitrary address at offset 0x168. The article outlines the technical steps to transform the crash into a functional exploit, including heap memory manipulation and the creation of fake vtables.