Safety researchers at Paradigm Shift have revealed a working exploit, dubbed usbliter8, that achieves arbitrary code execution contained in the SecureROM of Apple’s A12 and A13 chips.
That code is burned into the silicon at manufacture. No software program replace can attain it. Affected gadgets will carry this flaw for so long as they keep in use.
This isn’t a distant assault. It requires bodily possession of the machine, which should be in DFU mode and related through USB to a devoted RP2350-based microcontroller board. With that setup, the exploit finishes in below two seconds, earlier than Apple’s signed boot chain hundreds.
The total technical write-up and a working proof of idea went public on June 18, 2026, following coordinated disclosure with Apple Product Safety.
Affected Gadgets
The general public PoC helps A12, A13, S4, and S5 SoCs. A12X and A12Z assist is described as theoretically attainable however not but carried out.
Gadget households in that vary embody the iPhone XS, XS Max, and XR; the iPhone 11, 11 Professional, 11 Professional Max; the iPhone SE (2nd era); the iPad Air third gen, iPad mini fifth gen, and iPad eighth gen; Apple Watch Collection 4 and 5; the first-generation Apple Watch SE; the HomePod mini; and different Apple merchandise constructed on these chips. A11 just isn’t affected. A14 and later look like out of attain for this exploit path.
The Bug
The foundation problem is a {hardware} flaw within the Synopsys DWC2 USB controller.
The controller shops incoming USB Setup packets through DMA, buffers as much as three, then resets its write pointer on the fourth by decrementing it by a hard and fast 24 bytes. It additionally accepts smaller-than-standard packets, incrementing the pointer solely by the precise bytes written. That mismatch accumulates right into a repeatable buffer underflow, stepping the write pointer backwards via reminiscence 12 bytes at a time.
What makes this exploitable on A12 and A13 is how Apple configures the USB DART (Gadget Tackle Decision Desk, the chip’s IOMMU) inside SecureROM. On affected gadgets, it runs in bypass mode, so the underflowing DMA pointer can attain and overwrite arbitrary SRAM.
A11 just isn’t affected as a result of its USB driver manually resets the DMA handle after each packet, so the mismatch by no means accumulates. A14 and later seem to configure DART appropriately, which Paradigm Shift says makes the vulnerability unexploitable on newer {hardware}.
Getting Code Execution
On A12, the DMA buffer sits adjoining to the USB job’s stack on the heap. Overwriting a saved hyperlink register arms the attacker program counter management on the subsequent context change.
A13 is more durable. Pointer Authentication (PAC) protects stack-stored return addresses. Paradigm Shift bypassed it in phases. Corrupting DART-related heap buildings created restricted write primitives. Overwriting the panic depth counter made the chip loop on errors as an alternative of rebooting. Cautious DMA write timing prevented clobbering the USB job’s saved registers.
The ultimate step overwrote the USB interrupt handler pointer in BSS. The subsequent USB interrupt then ran attacker-supplied code. Both path ends with execution at EL1, the chip’s privileged mode, inside SecureROM.
What an Attacker Will get
Put up-exploitation, usbliter8 injects a customized USB request handler and stamps PWND:[usbliter8] into the machine’s USB serial string. From there, an attacker can briefly demote the SoC’s manufacturing mode or boot a uncooked, unsigned iBoot picture with no signature checks, stepping exterior Apple’s chain of belief totally.
The analysis doesn’t present a Safe Enclave compromise. Apple’s Safe Enclave is designed as a separate safety boundary, remoted from the applying processor. Paradigm Shift warns that BootROM-level management could open new routes for attacking it.
No Software program Patch
The closest public precedent is checkm8, the 2019 SecureROM exploit that completely put A5-through-A11 gadgets exterior Apple’s patch authority.
Like checkm8, usbliter8 requires bodily entry and DFU mode and can’t be closed with a firmware replace. usbliter8 extends that situation to the subsequent chip era.
As of June 19, 2026, no CVE, CVSS rating, Apple safety advisory, or CISA alert had been issued, and no in-the-wild exploitation had been publicly reported.
For many customers, the sensible danger is low: an attacker wants the bodily machine, the appropriate cable, and the information to pressure DFU mode. For prime-security environments, that is now a hardware-retirement and device-custody downside.
If a tool runs one of many affected chips, the bodily boundary is completely gone; security is determined by controlling when and the place the machine could be plugged in. Stock A12, A13, S4, and S5 {hardware} in delicate roles, prioritize refreshes towards A14 or newer, and keep away from DFU mode over untrusted USB cables or hosts.
The code is public. That’s often how exploit analysis stops being a demo and begins being another person’s instrument.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
