CVE-2015-7078
Description
A use-after-free in the AppleHV hypervisor driver on OS X before 10.11.2 lets a local user escalate privileges via crafted VM object operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in the AppleHV hypervisor driver on OS X before 10.11.2 lets a local user escalate privileges via crafted VM object operations.
Vulnerability
The AppleHV hypervisor driver in OS X before 10.11.2 contains a use-after-free vulnerability in the handling of the hv_space lock group. When a process with an AppleHV user client is terminated, the IOService::terminateWorker calls AppleHVClient::free, which calls lck_rw_free on the lock group pointer stored in the global _hv variable. Additionally, the hypervisor machine_thread_destroy callback (hv_callback_thread_destroy) also calls lck_rw_free with the same lock group pointer from _hv. This double-free leads to a use-after-free condition. The issue affects OS X El Capitan 10.11 and 10.11.1 (tested on 15a284) and was fixed in OS X 10.11.2 [1][2].
Exploitation
An attacker requires local user access to the system. The exploit involves repeatedly opening and closing an AppleHV user client connection to trigger the race window between the two lck_rw_free calls. By carefully timing the operations, the lock group memory can be freed while still in use, allowing control over freed kernel memory. The provided exploit code (tested on MacBookAir 5,2) continuously opens and closes the user client connection to induce the double-free [2].
Impact
Successful exploitation allows a local attacker to gain elevated privileges, likely achieving arbitrary code execution in the kernel context. The use-after-free can corrupt kernel memory, leading to full system compromise [1][2].
Mitigation
Apple addressed the vulnerability in OS X El Capitan 10.11.2, released on December 8, 2015 [1]. Users should update to this version or later. No workarounds are available for unpatched systems. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <10.11.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Double-free of the hv_space lock group pointer due to two separate code paths both calling lck_rw_free on the same object during process termination."
Attack vector
A local attacker opens an `AppleHV` user client connection via `IOServiceOpen`, then sends an IOConnectCallMethod (method 1) to the service [ref_id=1]. The attacker then kills the process (e.g., via `kill -9` from a forked child process) while the connection is active. The termination path triggers two separate calls to `lck_rw_free` on the same `hv_space` lock group pointer — once from `AppleHVClient::free` and once from the hypervisor thread-destroy callback — resulting in a use-after-free of the lock group object [ref_id=1]. This can be leveraged for local privilege escalation.
Affected code
The vulnerability resides in the AppleHV kernel extension's handling of lock groups. The `AppleHVClient::free` method (called via `IOService::terminateWorker`) and the `hv_callback_thread_destroy` callback both call `lck_rw_free` on the same lock group pointer obtained from the global `_hv` variable [ref_id=1]. This double-free of the lock group structure is the core defect.
What the fix does
The advisory does not include a patch diff, but the fix in OS X 10.11.2 addresses the double-free by ensuring the `hv_space` lock group is freed only once during process teardown [ref_id=1]. The remediation likely adds a reference count or a NULL-out check so that the second call to `lck_rw_free` does not operate on an already-freed lock group pointer. No further technical details of the fix are provided in the available reference.
Preconditions
- authAttacker must have local user access to the system
- configThe AppleHV kernel extension must be loaded (present on systems with Hypervisor.framework)
- inputAttacker must be able to open an AppleHV user client and send IOConnectCallMethod (method 1)
Reproduction
Compile and run the provided PoC on OS X 10.11 (El Capitan 15a284). The program forks a child that repeatedly opens an AppleHV user client connection and calls IOConnectCallMethod with method 1, while the parent sleeps for one second then sends SIGKILL to the child. The race between the two free paths triggers the use-after-free [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.apple.com/archives/security-announce/2015/Dec/msg00005.htmlnvdVendor Advisory
- support.apple.com/HT205637nvdVendor Advisory
- www.securitytracker.com/id/1034344nvd
- www.exploit-db.com/exploits/39370/nvd
News mentions
0No linked articles in our index yet.