WebKit JIT integer-to-float exploit
- Security researcher Xin published a March 19 write-up showing a WebKit JavaScriptCore DFG type-confusion bug that reaches arbitrary memory read and write on iPhone. - The bug is a one-word mistake: `MapIterationEntryKey` was tagged `NodeResultInt32` instead of `NodeResultJS`, and Xin reported about 80% exploit success. - Google’s Coruna report shows browser-delivered iPhone exploit chains are already in circulation across 23 exploits and five chains. (cloud.google.com)
JavaScript just-in-time compilers speed up code by guessing what kinds of values a function will keep using, then generating machine code for that pattern. When the guess is wrong, the optimized code can handle data with the wrong layout. (trustfoundry.net) (ret0.dev) On March 19, researcher Xin published a WebKit exploit write-up that starts with a one-byte type declaration error in JavaScriptCore’s Data Flow Graph, or DFG, compiler. The bug turns a bookkeeping mistake into arbitrary memory read and write on a stock iPhone. (ret0.dev) The specific mistake sits in `DFGNodeType.h`, where `MapIterationEntryKey` was declared as producing a 32-bit integer even though the runtime can return any JavaScript value, including object pointers. That mismatch lets later optimization stages skip protections they should have kept. (ret0.dev) Xin wrote that the bad type tag can suppress garbage-collector write barriers, creating a use-after-free condition. From there, the exploit chain builds stable arbitrary read and write with an end-to-end success rate of about 80% on iOS 26.1. (ret0.dev) This is the part that makes JIT bugs dangerous in plain English: the browser starts treating one kind of data as another kind of data, like reading a street address as a bank balance. Once an attacker can read and overwrite memory, they can often pivot toward code execution inside the browser process. (projectzero.google) (ret0.dev) The write-up lands weeks after Google Threat Intelligence Group disclosed “Coruna,” an iPhone exploit kit with five full chains and 23 exploits targeting iOS 13.0 through 17.2.1. Google said the framework selected a WebKit remote-code-execution exploit after fingerprinting the victim device in JavaScript. (cloud.google.com) Google said Coruna moved during 2025 from a customer of a surveillance vendor to a suspected Russian espionage group and later to a financially motivated actor operating from China. That timeline showed advanced browser-to-device exploitation techniques spreading beyond a single operator. (cloud.google.com) (cside.com) Xin’s bug is not presented by Google as the Coruna entry point, and Apple’s February 11 Safari 26.3 and iOS 26.3 advisories do not publicly list this bug by name or Bugzilla number. Xin’s post says the issue was fixed in Safari 26.3 and affected Safari 26.2 and earlier. (support.apple.com 1) (support.apple.com 2) (ret0.dev) WebKit is not just Safari: Apple’s own documentation says the engine is also used by apps including Mail and the App Store, and WebKit’s modern app interface is `WKWebView`. That means browser-engine flaws can matter anywhere an app embeds web content, not only in the browser tab users can see. (webkit.org 1) (webkit.org 2) The immediate takeaway is simple and dated: Xin disclosed the exploit path on March 19, 2026, and Apple shipped Safari 26.3 and iOS 26.3 on February 11, 2026. Devices that have not moved past older Safari or iOS builds are carrying more risk than the same hardware on current software. (ret0.dev) (support.apple.com 1) (support.apple.com 2)
