Security researchers at Paradigm Shift have released a working exploit called usbliter8 that can run arbitrary code within the SecureROM of Apple’s A12 and A13 processors.
SecureROM code is permanently etched into the chip during manufacturing. It cannot be altered by any software update. Any device with this flaw will remain vulnerable for its entire lifespan.
This attack cannot be carried out remotely. It requires the attacker to physically hold the device, put it into DFU mode, and connect it via USB to a specialized microcontroller board based on the RP2350 chip. Once set up, the exploit completes in less than two seconds, well before Apple’s verified boot process begins.
The detailed technical report and a functional proof of concept were made public on June 18, 2026, after coordinated disclosure with Apple Product Security.
Affected Devices
The public proof of concept works on A12, A13, S4, and S5 SoCs. Support for A12X and A12Z is considered theoretically feasible but has not yet been implemented.
Devices in this category include the iPhone XS, XS Max, and XR; the iPhone 11, 11 Pro, and 11 Pro Max; the iPhone SE (2nd generation); the iPad Air (3rd gen), iPad mini (5th gen), and iPad (8th gen); Apple Watch Series 4 and 5; the first-generation Apple Watch SE; the HomePod mini; and other Apple products built around those chips. The A11 is not vulnerable. A14 and later chips appear to be beyond the reach of this particular exploit method.
The Bug
The core problem is a hardware defect in the Synopsys DWC2 USB controller.
The controller receives USB Setup packets through DMA and buffers up to three of them. On the fourth packet, it resets the write pointer by subtracting a fixed 24 bytes. However, it also accepts packets smaller than the standard size, advancing the pointer only by the actual number of bytes received. This discrepancy builds up into a predictable buffer underflow, pushing the write pointer backward through memory in 12-byte increments.
What makes this exploitable on A12 and A13 is how Apple configures the USB DART (Device Address Resolution Table, the chip’s IOMMU) within SecureROM. On these devices, it operates in bypass mode, allowing the underflowing DMA pointer to reach and overwrite any location in SRAM.
The A11 is unaffected because its USB driver manually resets the DMA address after each packet, preventing the discrepancy from accumulating. A14 and later chips appear to configure DART correctly, which according to Paradigm Shift renders the vulnerability unexploitable on newer hardware.
Achieving Code Execution
On A12, the DMA buffer is positioned next to the USB task’s stack in the heap. By overwriting a saved link register, the attacker gains control of the program counter at the next context switch.
A13 presents a greater challenge. Pointer Authentication (PAC) guards return addresses stored on the stack. Paradigm Shift worked around this in stages. By corrupting DART-related heap structures, they gained limited write capabilities. Overwriting the panic depth counter caused the chip to loop on errors rather than rebooting. Precise timing of DMA writes avoided destroying the USB task’s saved registers.
The final stage involved overwriting the USB interrupt handler pointer in the BSS section. The next USB interrupt then executed attacker-controlled code. Both approaches result in execution at EL1, the chip’s most privileged mode, within SecureROM.
What an Attacker Can Do
After exploitation, usbliter8 installs a custom USB request handler and marks the device’s USB serial string with PWND:[usbliter8]. From this position, an attacker can temporarily downgrade the SoC’s security mode or boot a raw, unsigned iBoot image without any signature verification, completely bypassing Apple’s chain of trust.
The research does not demonstrate a compromise of the Secure Enclave. Apple’s Secure Enclave is architecturally designed as an independent security boundary, isolated from the main application processor. However, Paradigm Shift cautions that BootROM-level access could potentially open new avenues for targeting it.
No Software Fix Available
The closest known precedent is checkm8, the 2019 SecureROM exploit that permanently placed A5-through-A11 devices beyond Apple’s ability to patch.
Like checkm8, usbliter8 demands physical access and DFU mode and cannot be remediated through a firmware update. usbliter8 extends this unpatchable condition to the subsequent generation of chips.
As of June 19, 2026, no CVE, CVSS score, Apple security advisory, or CISA alert had been published, and no real-world exploitation had been publicly documented.
For everyday users, the practical risk is minimal: an attacker needs physical possession of the device, the correct cable, and the expertise to enter DFU mode. For high-security environments, however, this now becomes a matter of hardware retirement and strict device custody.
If a device uses one of the affected chips, that physical security boundary is permanently gone; protection now depends on controlling when and where the device can be connected. Organizations should inventory A12, A13, S4, and S5 hardware in sensitive roles, prioritize upgrading to A14 or newer, and avoid using DFU mode with untrusted USB cables or hosts.
The exploit code is now public. That is typically the point at which proof-of-concept research transitions into someone else’s operational toolkit.
