macOS ping utility contains deterministic BSS out-of-bounds write vulnerability

The /sbin/ping utility on macOS lacks a bounds check for the -G sweepmax parameter, allowing an out-of-bounds write into adjacent memory in the BSS segment. The write is deterministic, with each byte at offset N set to (N-1) % 256, and can corrupt static variables like file descriptors or pointers. Apple confirmed the issue on April 16, 2026, and plans a fix for Fall 2026. The vulnerability is local-only and does not enable privilege escalation on macOS 11+.