Image fuzzing framework for iOS/macOS targeting CoreGraphics, ImageIO, and ICC profile parsing across 15 bitmap context types and 22 output formats.
- PermaLink: https://srd.cx/xnu-image-fuzzer/
- CVE Reference: https://srd.cx/cve-2022-26730/
- Author: David Hoyt — https://xss.cx · https://srd.cx · https://hoyt.net
- Generate baseline images with xnuimagetools (iOS, watchOS, Mac Catalyst)
- Fuzz with xnuimagefuzzer (
--pipeline,--chain,--input-dir) - Embed ICC profiles (clean + mutated)
- Encode to 22 formats (PNG, JPEG, TIFF×5, HEIC, WebP, JP2, PDF, BMP, GIF, EXR, ICNS, …)
- Feed to target apps: Preview, Safari, iMessage, Mail, Notes
- Collect crashes from
~/Library/Logs/DiagnosticReports/
# Xcode
open "XNU Image Fuzzer.xcodeproj" # Update Team ID → Run
# CLI (Mac Catalyst, unsigned)
xcodebuild build \
-scheme "XNU Image Fuzzer" \
-destination 'platform=macOS,variant=Mac Catalyst' \
-configuration Release \
CODE_SIGN_IDENTITY="-" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO
# Pipeline fuzzing (generate → fuzz → ICC embed → measure)
./XNU\ Image\ Fuzzer --pipeline /path/to/input-images/| Platform | Status |
|---|---|
| macOS 15+ (arm64, x86_64) | ✅ |
| iOS / iPadOS 18+ | ✅ |
| visionOS 2.x | ✅ |
- Copilot Instructions — build commands, architecture, debug env vars
- API Docs
- XNU Image Tools — multi-platform image generator