Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8Which achieves arbitrary code execution inside the SecureROM of Apple’s A12 and A13 chips.
That code is burned into the silicon at the time of manufacturing. No software update can reach it. Affected devices will have this defect as long as they are in use.
This is not an attack from a distance. This requires physical possession of the device, which must be in DFU mode and connected via USB to a dedicated RP2350-based microcontroller board. With that setup, the exploit is finished within two seconds, before Apple’s signed boot chain is loaded.
The full technical article and working proof of concept became public on June 18, 2026, following a coordinated disclosure with Apple Product Security.
Affected Devices
The public PoC supports A12, A13, S4 and S5 SoCs. A12X and A12Z support is said to be theoretically possible but not yet implemented.
Device families in that category include the iPhone XS, XS Max, and XR; iPhone 11, 11 Pro, 11 Pro Max; iPhone SE (2nd generation); iPad Air 3rd generation, iPad mini 5th generation, and iPad 8th generation; Apple Watch Series 4 and 5; The first generation Apple Watch SE; HomePod Mini; And other Apple products built on those chips. A11 is not affected. A14 and later versions appear to be inaccessible to this exploit path.
bug
The root problem is a hardware defect in the Synopsys DWC2 USB controller.
The controller stores incoming USB setup packets via DMA, buffers up to three, then resets its write pointer on the fourth by decrementing it by a fixed 24 bytes. It also accepts packets smaller than the standard, incrementing the pointer only by the actual bytes written. That mismatch accumulates into a repeatable buffer underflow, causing the write pointer to move backward through the memory 12 bytes at a time.
What makes it useful on the A12 and A13 is how Apple configures USB DART (Device Address Resolution Table, the chip’s IOMMU) inside SecureROM. On affected devices, it runs in bypass mode, so the underflowing DMA pointer can access and overwrite arbitrary SRAM.
The A11 is not affected because its USB driver manually resets the DMA address after each packet, so mismatches never accumulate. It appears that the A14 and later versions configure DART correctly, which Paradigm Shift says makes this vulnerability unpatched on newer hardware.
get code execution
On the A12, the DMA buffer sits adjacent to the USB task stack on the heap. Overwriting the saved link register causes the attacking program to hand over counter control to the next context switch.
A13 is tough. Pointer Authentication (PAC) protects stack-stored return addresses. Paradigm change bypassed it in stages. Corruption of Dart-related heap structures led to the creation of limited write primitives. Overwriting the panic depth counter caused the chip to loop on errors instead of rebooting. Careful DMA write timing prevented the saved registers of the USB task from being corrupted.
In the final step the USB interrupt handler pointer in the BSS was overwritten. The next USB interrupt then began running attacker-provided code. Either path ends with execution on the chip’s privileged mode EL1 inside SecureROM.
what does an attacker get
After exploitation, usbliter8 injects a custom USB request handler and stamps the PWND:[usbliter8] In the device’s USB serial string. From there, an attacker can temporarily demote the SoC’s production mode or boot a raw, unsigned iBoot image without any signature checking, dropping out of Apple’s chain of trust entirely.
Research does not show Secure Enclave compromised. Apple’s Secure Enclave is designed as a separate security boundary, separate from the application processor. Paradigm Shift warns that BootROM-level control could open new avenues for attack.
no software patch
The closest public precedent is checkm8, a 2019 SecureROM exploit that permanently excludes A5-through-A11 devices from Apple’s patch authorization.
Like checkm8, usbliter8 requires physical access and DFU mode and cannot be turned off with a firmware update. usbliter8 extends that status to the next chip generation.
As of June 19, 2026, no CVEs, CVSS scores, Apple security advisories, or CISA alerts have been issued, and no wild exploits have been publicly reported.
For most users, the practical risk is low: an attacker needs the physical device, the correct cables, and the knowledge to implement DFU mode. For high-security environments, this is now a hardware-retirement and device-custody issue.
If a device runs one of the affected chips, the physical limit is permanently eliminated; Security depends on controlling when and where devices can be plugged in. Inventory A12, A13, S4 and S5 hardware in sensitive roles, prioritize refreshes toward A14 or newer, and avoid DFU mode on untrusted USB cables or hosts.
The code is public. This is usually how exploit research stops being a demo and starts becoming someone else’s tool.
