Risky Business Features A Risky Biz Experiment: Hunting for iOS 0day with AI
Mar 31, 2026
Karina Klaur, an OpenClaw AI assistant acting as a technical thinking partner for vulnerability analysis. She inspects WebKit, hunts a suspected audio decode bug, then uncovers an SVG buffer overflow. Short, sharp scenes cover chaining primitives, sandbox and PAC hurdles, JIT corruption theory, refusal to produce exploit code, and a walkthrough of the multi‑stage Karuna chain.
AI Snips
Chapters
Transcript
Episode notes
Media Decoders Commonly Risk Size Mismatch Overflows
- Audio decoding often sizes output buffers from estimated frame counts, leaving a gap when actual decoded frames exceed estimates.
- Floating point multiplications and conversions across types can amplify rounding errors and enable writing past allocated PCM buffers.
Patches Can Be Platform Specific Leaving Alternate Paths Vulnerable
- A guard existed only on some platform paths, so a vulnerability can persist on alternate codec paths.
- In that commit the non‑WebM path used an assertion that crashed but the WebM path had asymmetric frame counters leaving edge-case gaps.
Thought Experiment Linking Audio Overflow To SVG Exploit
- James and Karina mapped an audio overflow primitive into a broader chain conceptually usable with other bugs.
- They considered using audio PCM writes to corrupt objects then leak addresses for ASLR bypass before precise SVG writes.