Fairly straightforward refcount leak bug in the coredump function of the kernel. It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path. Here, it was easy to trigger a fail case via the vn_open() call to open a vnode for the write file. By simply providing a path that your process doesn’t have permission to write to, it’ll error and leak the reference count. Since the reference count is 32-bit and just uses an atomic_inc, it’s also feasible to exploit.

Exploitation was somewhat interesting as it ultimately gives you a UAF in the kauth_cred_t zone and not the general purpose zone. However, you could overlap your cred with a more privileged cred for an easy and reliable privilege escalation.