I recently reported an out-of-bounds write in mDNSResponder to Apple, which has now been published as CVE-2026-43666.
It's great to contribute to the security of software that is used daily by millions of Apple devices, and it's extra rewarding to receive an Apple Security Bounty for it.
Apple's Advisory
From Apple's security advisory:
mDNSResponder
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-43666: Ian van der Wurff (ian.nl)
What's Next
I'll be continuing my research into Apple's software. Their bug bounty program is one of the best out there, both in terms of scope and rewards, and I really enjoy hunting for vulnerabilities in code that ships to hundreds of millions of devices. More writeups to come (hopefully).