This blog post is about showing what happens on a real MTE-capable MacBook when we intentionally trigger tag check failures in kernel land, and what kind of tooling makes the resulting panic output more useful.

Foreword: We disclosed this vulnerability to the kernel security team through responsible disclosure (CVE-2024-46713). The patch on the mailing list is visible here…

In this blog post we’ll dive into the details of an interesting vulnerability in the new IPC mechanism of Chrome, ipcz, and see how it was possible to exploit it from a compromised renderer to escape the Chrome sandbox. The following analysis and described exploitation technique is based on Chromium 113.0.5672.77.