Security researchers from Paradigm Shift have revealed a new exploit named usbliter8 that enables arbitrary code execution in the SecureROM of Apple’s A12 and A13 chips. This vulnerability is particularly concerning as it is unpatchable, meaning affected devices will retain this flaw for their entire lifespan.
Details of the Exploit
The exploit requires physical access to the device, which must be in DFU mode and connected via USB to a specific microcontroller board. Once set up, the exploit can be executed in under two seconds, prior to the loading of Apple’s signed boot chain. The technical details were made public on June 18, 2026, following a coordinated disclosure with Apple Product Security.
Affected Devices
The public proof of concept supports devices using the A12, A13, S4, and S5 system-on-chips (SoCs). This includes models such as the iPhone XS, XS Max, XR, 11, 11 Pro, 11 Pro Max, and the iPad Air (3rd generation), among others. Notably, devices with the A11 chip are not affected, while A14 and later models are also considered safe from this exploit.
Technical Underpinnings
The root cause of the vulnerability lies in a hardware flaw within the Synopsys DWC2 USB controller. This flaw allows for a buffer underflow condition that can be exploited to overwrite arbitrary memory locations. The exploit takes advantage of how Apple configures the USB DART (Device Address Resolution Table) in SecureROM, which runs in bypass mode on affected devices.
Post-Exploitation Risks
Once exploited, usbliter8 injects a custom USB request handler, allowing an attacker to demote the SoC’s production mode or boot an unsigned iBoot image, effectively bypassing Apple’s security measures. However, the research indicates that the Secure Enclave remains uncompromised, as it operates within a separate protection boundary.
As of June 19, 2026, there has been no issuance of a CVE, CVSS score, or any public reports of in-the-wild exploitation. For most users, the immediate risk is low, given the requirement for physical access and specific technical knowledge. However, for high-security environments, this presents a significant concern, necessitating careful management of devices running affected chips.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
