Security researchers have uncovered a sophisticated kernel exploit for iOS devices, dubbed Trigon, which leverages a critical vulnerability in the XNU kernel’s virtual memory subsystem. This exploit, associated with the “Operation Triangulation” spyware campaign, provides attackers with arbitrary kernel read/write capabilities without triggering kernel panics—a rare feat in modern iOS exploitation.
Main Takeaway
The Trigon exploit targets CVE-2023-32434, an integer overflow in the mach_make_memory_entry_64 function of the XNU kernel. By exploiting this flaw, attackers can create malicious memory entries that span far beyond physical device limits, bypassing critical sanity checks and enabling the mapping of kernel memory into user space. This allows for:
- Forging parent memory entries in restricted regions.
- Mapping arbitrary physical addresses into the attacker’s process.
- Bypassing Page Validation Hash protections.
- Manipulating kernel structures to gain root privileges.
The exploit currently supports A10(X)-based devices (iPhone 7, iPad 6th Gen) running iOS 13–16.5.1. However, newer devices with Arm64e (A12+) and A11 SoCs are excluded due to hardware-enforced mitigations.
Exploit Chain Overview
Stage 1: Privileged Memory Entry Creation
The exploit begins by forging a parent memory entry in PurpleGfxMem, a restricted memory region typically reserved for GPU operations. By crafting an IOSurface object with the IOSurfaceMemoryRegion property set to PurpleGfxMem, attackers bypass XNU’s vm_page_insert_internal panic checks, as PurpleGfxMem entries lack the internal flag enforced for standard allocations. This allows unrestricted mapping of physical memory.
Stage 2: Physical Memory Mapping Primitive
Using the oversized memory entry, Trigon maps arbitrary physical addresses into the attacker’s process via mach_vm_map. By calculating offsets relative to the iboot-handoff region—a bootloader-passed data structure in DRAM—the exploit dynamically resolves the kernel slide and Kernel Text Read-Only Region (KTRR) boundaries.
Stage 3: Kernel Read/Write via IOSurface Spray
To bypass Page Validation Hash (PVH) protections, Trigon sprays thousands of IOSurface objects into physical memory. The exploit identifies non-page-table regions housing sprayed objects by scanning the pv_head_table—a kernel structure tracking page types. Once located, these surfaces are manipulated to forge task_t and proc_t structures, granting root privileges and disabling sandboxing.
Impact and Mitigations
The Trigon exploit poses a unique challenge to Apple’s security model due to its deterministic nature—achieving success without memory corruption or race conditions. While patched in iOS 16.5.1, lingering risks exist for jailbroken devices and unpatched enterprise fleets.
Researchers emphasize that KTRR/CTRR, once considered unassailable, now requires deeper integration with SoC-level MMU policies to block physical mapping exploits.
Mourad Maacha 
Leave a comment