A pretty straightforward out-of-bounds write (OOB write) in the Apple SPU kernel extension, which is used for managing drivers on macOS and iOS. The problem lies in the opcode handler for ALLOCATE_BUFFER messages sent to SPU via an IOUserClient. This opcode allows a user to allocate from one of 16 inline slots inside the AppleSPU object. The problem is, there is no bounds checking to ensure you don’t try to allocate more than 16 buffers, thus giving easy OOB write.