Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

In the first part of this series , I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability ( CVE-2024-54529 ) and a double-free vulnerability ( CVE-2025-31235 ) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing . While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability. I’ll explain the technical details of turning a potentially exploitable crash into a working exploit: a journey filled with dead ends, creative problem solving, and ultimately, success. The Vulnerability: A Quick Recap If you haven’t already, I highly recommend reading my detailed writeup on this vulnerability before proceeding. As a refresher, CVE-2024-54529 is a type confusion vulnerability within the com.apple.audio.audiohald Mach service in the CoreAudio framework used by the coreaudiod process. Several Mach message handlers, such as _XIOContext_Fetch_Workgroup_Port , would fetch a HALS_Object from the Object Map based on an ID from the Mach message, and then perform operations on it, assuming it was of a specific type ( ioct ) without proper validation. This incorrect assumption led to a crash when the code attempted to make a virtual call on an object whose pointer was stored inside the HALS_Object , as shown in the stack trace below: Process 82516 stopped * thread # 8, queue = 'com.apple.audio.system-event' , stop reason = EXC_BAD_ACCESS ( code = 1, address = 0xffff805cdc7f7daf ) frame # 0: 0x00007ff81224879a CoreAudio ` _XIOContext_Fetch_Workgroup_Port + 294 CoreAudio`_XIOContext_Fetch_Workgroup_Port: 0x7ff81224879a +291 : mov rax, qword ptr [ rdi] - 0x7ff81224879d +294 : call qword ptr [ rax + 0x168] 0x7ff8122487a3 +300 : mov dword ptr [ rbx + 0x1c], eax 0x7ff8122487a6 +303 : mov rdi, r13 (lldb) bt * thread # 8, queue = 'com.apple.audio.system-event' , stop reason = EXC_BAD_ACCESS ( code = 1, address = 0xffff805cdc7f7daf ) * frame # 0: 0x00007ff81224879a CoreAudio ` _XIOContext_Fetch_Workgroup_Port + 294 frame # 1: 0x00007ff812249c81 CoreAudio ` HALB_MIGServer_server + 84 frame # 2: 0x00007ff80f359032 libdispatch.dylib ` dispatch_mig_server + 362 frame # 3: 0x00007ff811f202ed CoreAudio ` invocation function for block in AMCP::Utility::Dispatch_Queue::install_mig_server ( unsigned int, unsigned int, unsigned int ( * )( mach_msg_header_t * , mach_msg_header_t * ) , bool, bool ) + 42 frame # 4: 0x00007ff80f33e7e2 libdispatch.dylib ` _dispatch_client_callout + 8 frame # 5: 0x00007ff80f34136d libdispatch.dylib ` _dispatch_continuation_pop + 511 frame # 6: 0x00007ff80f351c83 libdispatch.dylib ` _dispatch_source_invoke + 2077 frame # 7: 0x00007ff80f3447ba libdispatch.dylib ` _dispatch_lane_serial_drain + 322 frame # 8: 0x00007ff80f3453e2 libdispatch.dylib ` _dispatch_lane_invoke + 377 frame # 9: 0x00007ff80f346393 libdispatch.dylib ` _dispatch_workloop_invoke + 782 frame # 10: 0x00007