Pointer leaks through pointer-keyed data structures

Project Zero research describes a novel serialization-based information disclosure on Apple platforms: by deserializing attacker-controlled NSDictionary objects containing crafted NSNumber and NSNull keys and then re-serializing the result, an attacker can infer NSNull's pointer (shared-cache address) from the ordering of serialized keys. The author supplies a reproducer and explains how repeating the technique across hash-table sizes and using the Chinese remainder theorem yields the full pointer; Apple fixed the issue in the 31 Mar 2025 security releases. The attack is practical only when a target deserializes attacker data and returns a re-serialized payload, so real-world impact is limited but relevant for ASLR bypass techniques.