Controlled BSS Out-of-Bounds Write on macOS — Public Disclosure PING-01 Stuart Thomas Independent Security Research — Whitby, North Yorkshire, United Kingdom 13 May 2026 ·macOS / network_cmds-730.80.3 / /sbin/ping·Vendor ref: OE1105761557610·Planned for Fall 2026 / In progress· ORCID:0009-0008-4518-0064·CC BY 4.0 /sbin/ping’s-G sweepmaxargument is stored without validating it againstmaxpayload. The packet-fill loop then writes up tosweepmaxbytes starting fromoutpackhdr[36](SOCK_RAW / root) oroutpackhdr[16](SOCK_DGRAM / non-root), overflowing past the end of the 65,535-byteoutpackhdrglobal array. The bug is asymmetric: the-s datalenflag has the bounds check that-G sweepmaxlacks. The omission was introduced when an#ifndef __APPLE__block removed the non-root uid guard for-Gwithout adding an equivalentmaxpayloadcheck. On arm64e (Apple Silicon), PAC prevents code-pointer hijack; state corruption via socket-fd overwrite remains demonstrable. On x86_64, pointer-type globals are within attacker reach./sbin/pingis not setuid on macOS 11 or later; there is no direct privilege escalation on default configurations. Keywords:out-of-bounds write · BSS corruption · network_cmds · ping · macOS · responsible disclosure · Apple Security Bounty · arm64e · PAC /sbin/pingon macOS ships as part ofnetwork_cmds-730.80.3, Apple’s open-source fork of the BSD networking utilities. The binary accepts a sweep-mode flag,-G sweepmax, that sets the upper bound of a payload-size sweep. An adjacent flag,-s datalen, enforces a maximum-payload check before the value is stored.-G sweepmaxdoes not. The omission is Apple-specific: the upstream guard was wrapped in an#ifndef __APPLE__block that removed a uid-based size restriction without substituting an equivalentmaxpayloadcheck. The result is that any user can supply a sweep ceiling larger than the 65,535-byte internal buffer and the fill loop will write past the end of that buffer into adjacent BSS globals. This disclosure documents the root cause in source, the empirical confirmation of the primitive (socket-fd overwrite at OOB+128, value0x63, deterministic), and the extended-range analysis for both arm64e and x86_64 architectures. Apple has confirmed the bug and scheduled a fix for Fall 2026. The author considers 40 days of exclusivity appropriate for a local, non-setuid state-corruption primitive and publishes now to enable independent verification and defensive work. The analysis was performed on/sbin/pingas shipped with macOS 26.4.1 (build 25E253, arm64e) and cross-confirmed on macOS 26.4 (build 25E246, arm64e). The x86_64 code path was confirmed by static analysis of the x86_64 slice. The-s(data-length) option enforces the bounds check that-Gdoes not. Inping.c~line 647: In the-G sweepmaxhandler, the original guard has been conditionally compiled out: The#ifndef __APPLE__removed the non-root uid guard without substituting an equivalentmaxpayloadcheck. The omission is Apple-specific; the macOS code path exposessweepmaxvalues up toUINT_MAXto the fill loop. The packet-fill loop atping.c~line 741 uses the larger ofdatalenandsweepmaxas its upper bound, writing intooutpackhdrstarting at a socket-type-dependent offset: outpackhdr[]isIP_MAXPACKET = 65535bytes. Withsweepmax > maxpayload, the loop walks past the array end and into adjacent BSS globals. Table 2.Overflow thresholds per socket mode (empirically confirmed). Each overflowed byte isi % 256, whereiis the fill-loop counter and is attacker-controlled via-G. The write is thereforebyte-precise and deterministic: choose-G Nand the byte atoutpackhdr[N-1]becomes(N-1) % 256. The staticint ssocket descriptor is placed by the compiler at exactly128 bytes past the endofoutpackhdr[]in the compiled binary’s__commonBSS section (verified by inspecting the Mach-O symbol table on macOS 26.4.1 arm64e). With-G 65637(write up toi = 65,636), the first byte ofsis overwritten with65,635 % 256 = 99 = 0x63. The valid socket fd (typically3or4) becomes0x63, which is invalid. The nextsetsockopt()call returnsEBADFand the binary exits with status 71. The crash is deterministic and binary-searchable: sweepmax 65,636 runs cleanly; 65,637 crashes. The threshold is invariant across runs (no ASLR sensitivity at this layout level).