Google Project Zero researcher has released the second installment of a series documenting the exploitation of CVE-2024-54529, a type confusion vulnerability discovered in the coreaudiod system daemon on macOS. The post builds on an earlier write-up that described how the bug was found using a technique the researcher calls knowledge-driven fuzzing.

The Vulnerability

CVE-2024-54529 resides in the com.apple.audio.audiohald Mach service, part of Apple’s CoreAudio framework. Several Mach message handlers, including _XIOContext_Fetch_Workgroup_Port, retrieve a HALS_Object from an internal Object Map using a caller-supplied ID, then operate on that object as though it is a specific type (ioct) without validating the assumption. When the handler attempts a virtual call through a pointer stored inside the object, passing a mismatched object type causes a crash via EXC_BAD_ACCESS.

Building the Exploit Primitive

Turning the crash into a working exploit required constructing a three-level pointer chain:

  • Place a controlled pointer at offset 0x68 of the target HALS_Object on the heap.
  • Have that pointer reference attacker-controlled memory whose offset 0x0 points to a fake vtable.
  • Write the desired target address at offset 0x168 of the fake vtable to redirect the virtual call.

Dead Ends and CFString Constraints

The researcher’s first approach was to locate a CoreAudio API that would write an attacker-supplied CFString pointer into offset 0x68 of a HALS_Object. While such an API was found, the plan failed because CFString objects carry a fixed, uncontrollable header. The data at offset 0x0 of a CFString cannot be made to point at attacker-controlled memory, breaking the required pointer chain before it could begin.

Custom Tooling for Heap Analysis

With straightforward object reuse ruled out, the researcher built specialized tooling to gain visibility into the coreaudiod heap. A custom object dumper, built on Ivan Fratric’s TinyInst Hook API, hooked into the live process and walked the HALS_ObjectMap linked list, printing the raw contents, size, type, and subtype of every object present. This allowed the researcher to identify controllable data and spot any existing pointers at the critical offset. A companion IDAPython script performed static analysis, tracing code paths that write to offsets of interest following a CopyObjectByObjectID call.

The write-up also references a second vulnerability, CVE-2025-31235, a double-free in the same daemon found during the same research effort, though exploitation details for that bug are not covered in this installment.

Both vulnerabilities were disclosed through Apple’s security update process. Security teams maintaining macOS endpoints should verify that relevant Apple security patches are applied, given that coreaudiod runs as a privileged system daemon reachable via local Mach IPC.