In AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.
fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8a
Apple Security Advisory 2022-10-27-3 - iOS 16 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
f72f652240009ad6885c95e399eeada938afdca8ed7e90acdcc02793817280ae