CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers

This Project Zero write-up dissects a race condition in the XNU 'voucher' subsystem (user_data attribute) that incorrectly increments a non-atomic counter (e_made), enabling a timing window where a user-controlled attribute element can be freed while still in use; the flaw can yield kernel memory read/write primitives and local privilege escalation. The analysis walks through voucher/data structures, locking, deduplication logic, the exact race windows, and includes a practical PoC that demonstrates triggering the bug; Apple patched the issue in iOS 14.4 and indicated potential active exploitation.