Zero-Click iOS Exploit Chain in Apple Messages 17.4: Malformed PNG Triggers RCE via iMessage’s Image Decoder (CVE-2026-28290)

Executive Summary: A critical zero-click remote code execution (RCE) vulnerability in Apple Messages (iMessage) for iOS 17.4, tracked as CVE-2026-28290, allows an attacker to execute arbitrary code on a target device by sending a malformed PNG image through the iMessage platform. This exploit bypasses user interaction and sandbox protections, enabling silent compromise. The flaw resides in the image decoder of the Messages app, which fails to properly validate PNG metadata, leading to a memory corruption state exploitable via a carefully crafted PNG payload. Apple patched this issue in iOS 17.5 with improved input validation and bounds checking in the PNG parser.

Key Findings

• Vulnerability Type: Remote Code Execution (RCE) via zero-click attack vector
• Affected Software: Apple Messages (iMessage) on iOS 17.4 and earlier
• Attack Vector: Malformed PNG image transmitted via iMessage
• Privilege Escalation: Full device compromise without user interaction
• CVSS Score (2026): 9.8 (Critical) – AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
• Exploit Chain: Multi-stage PNG parsing flaw leading to heap overflow → RCE → sandbox escape
• Mitigation: Immediate update to iOS 17.5 or later

Technical Analysis: The Exploit Chain

1. Entry Point: Malformed PNG Payload

The exploit begins with a specially crafted PNG file containing corrupted IHDR and IDAT chunks. The IHDR chunk specifies invalid dimensions (e.g., width = 0xFFFFFFFF, height = 0x1), while the IDAT chunk contains a truncated or oversized payload. Apple’s PNG parser in iMessage (via CoreGraphics) does not perform sufficient bounds checking on these values during initial parsing.

This triggers an integer overflow when calculating the total size of the image buffer, resulting in an undersized allocation. Subsequent image data writes exceed the allocated heap space, corrupting adjacent memory structures.

2. Memory Corruption via Heap Overflow

The oversized IDAT chunk data is processed by the PNG decoder’s inflate operation. Due to the miscalculated buffer size, the decoder writes compressed image data beyond the intended heap region. This leads to a classic heap-based buffer overflow, overwriting metadata in the heap’s free list (e.g., size fields, next/prev pointers in malloc’s metadata).

Critical to the exploit’s success is the controlled placement of attacker-controlled data in memory adjacent to key Apple frameworks. Through heap feng shui and predictive allocation strategies, an attacker can position the target process’s vtable or function pointer in a predictable location relative to the overflow.

3. Code Execution via ROP/Jump-Oriented Programming

Once the heap metadata is corrupted, the attacker triggers a use-after-free or arbitrary write to overwrite a function pointer (e.g., in a CGImage or CVPixelBuffer object). The corrupted pointer points to a ROP (Return-Oriented Programming) chain constructed from existing code gadgets in memory-mapped libraries such as CoreGraphics, ImageIO, and libsystem_kernel.

The ROP chain disables sandbox restrictions by invoking syscall(SYS_ptrace, PTRACE_TRACEME) or posix_spawn with elevated privileges. It then spawns a shell or injects a malicious dynamic library into a privileged process (e.g., SpringBoard or backboardd).

4. Privilege Escalation and Persistence

The RCE payload escalates privileges to root by leveraging iOS’s task port manipulation APIs. It gains access to the task port of securityd or amfid, allowing code signing bypass via entitlement manipulation. A persistent backdoor is established by writing to /var/mobile/Library/Caches/ or modifying plist files in /var/mobile/Library/Preferences/. The attacker can now exfiltrate data, record audio, or install additional malware.

5. Bypassing Mitigations in iOS 17.4

At the time of exploitation, iOS 17.4 included several security features that the attack bypassed:

• Pointer Authentication (PAC): Disabled for certain system libraries due to compatibility modes.
• Sandboxing: The Messages app’s sandbox was not designed to block image parsing exploits originating from iMessage.
• Code Signing: The decrypted ROP payload was loaded into executable memory via memory mapping, not violating code signature checks.
• ASLR: While present, heap layout manipulation was feasible due to predictable allocation patterns in CoreGraphics.

Impact and Attack Surface

The zero-click nature of this exploit makes it particularly dangerous. Unlike phishing or user-triggered attacks, this can be delivered silently to any iOS device running Messages 17.4, regardless of user awareness. It has been observed in the wild as part of advanced persistent threat (APT) campaigns targeting journalists, diplomats, and executives.

Once compromised, the device becomes a surveillance node capable of:

• Extracting sensitive data (SMS, emails, photos)
• Recording ambient audio via microphone
• Geolocating the device via GPS/Wi-Fi triangulation
• Serving as a pivot into corporate networks via VPN or email access

The exploit chain’s modular design allows it to be repurposed for other image formats (e.g., JPEG, HEIC) if similar parser flaws exist, suggesting a broader class of vulnerabilities in Apple’s media processing stack.

Apple’s Response and Patch

Apple addressed CVE-2026-28290 in iOS 17.5 (released April 14, 2026), along with several related image parsing issues. The patch includes:

• Strict validation of PNG chunk sizes and dimensions
• Bounds checking during IDAT chunk processing
• Enhanced heap hardening in CoreGraphics
• Improved sandbox restrictions for image decoding services
• Mandatory ASN.1 DER validation in ImageIO

Users are strongly advised to update to iOS 17.5 or later. Enterprise and government users should consider additional monitoring for anomalous image processing activity via EDR tools.

Recommendations

For End Users:

• Immediately update all Apple devices to iOS 17.5 or macOS 14.5.
• Avoid opening images from untrusted sources, even via iMessage.
• Enable “Limit Ad Tracking” and disable automatic download of attachments in Messages.
• Use a mobile threat defense (MTD) solution with iOS integration.

For IT Security Teams:

• Deploy Apple’s latest security updates within 48 hours of release.
• Monitor network traffic for iMessage-related image transfers using SSL inspection (where legally permitted).
• Implement application allowlisting for CoreGraphics and ImageIO frameworks.
• Conduct forensic analysis of devices potentially exposed to this exploit.

For Developers and Researchers:

• Audit custom image processing code for similar integer overflow risks.
• Use hardened allocators (e.g., Apple’s malloc with guard pages) when parsing untrusted media.
• Enable Address Sanitizer (ASan) in debug builds of image processing libraries.

FAQ

1. Can this exploit be detected by standard antivirus tools