Straight forward version is two Out-Of-Bounds accesses in reading and writing the Driver feature set. A guest provided value is stored, and then used as an array index without any validation both in PciVirtIOWriteMM and in PciVirtIOReadMM giving relative read/write primitives.

This post also covers the exploitation (discovery and triaging at the start too!). First step was using the relative read to read out index 6 which contained a pointer nearby in memory, revealing the base address of the libMonitor.dyld that that vulnerability was in.

Second step was turning the relative r/w into arbitrary r/w, this was done by targeting pointers in an io_port_handler array that was in __bss memory, which were used as parameters to the various handlers. Control of these pointers gave arbitrary read/write gadgets through AhciIdpIndexInPortFunc and AhciIdpIndexOutPortFunc

Finally for arbitrary code execution on the host, the read was used to find the address of system and the write was used to replace a function pointer used by smb_write, and setup the command string for the variable used when smb_write would call that function pointer.