Overview
- Paradigm Shift published a technical write-up and released the working proof-of-concept called usbliter8 on June 18, 2026.
- The exploit targets SecureROM, the immutable first-stage boot code burned into A12 and A13 chips, so the vulnerability cannot be fixed with a software update.
- Paradigm Shift says the root cause is a bug in the Synopsys DWC2 USB controller that lets specially crafted USB packets overwrite protected memory during early boot.
- usbliter8 requires physical USB access with the device in DFU mode and can install a custom USB handler that temporarily lowers security, boots unsigned iBoot images, and leaves the device marked with the traditional "PWND" serial string.
- A11 and A14-or-newer Apple silicon avoid the flaw for different technical reasons, A13 was harder to exploit because of Pointer Authentication Codes, and the only full user mitigation is moving to newer, nonvulnerable hardware.