Blog on ALTV!ST

A bug in Apple Audio Toolbox that leads to heap OOB read

Sat, 13 Jun 2026 00:00:00 +0000

Last month, while testing HOBO BN MCP, I found two very similar vulnerabilities in macOS. I reported both to Apple Product Security through the Apple Security Bounty program — one report per vulnerability. Apple confirmed one of them, and I’m now waiting for a CVE and the update that will patch it. Once the patch ships, I’ll publish a detailed write-up about that one.

The second report was rejected: “We’re unable to identify a security issue in your report.” Well — “rejected” may not be quite the right word. In all likelihood, this second vulnerability will also be fixed in a future update, just silently, with no CVE and no bounty.

As I mentioned, the two vulnerabilities are very similar, so Apple Product Security’s call on the second one came as an unpleasant surprise. But I’m not going to argue with Apple in this post. Instead, I’ll walk through the second vulnerability in detail and, at the end, share a few thoughts on why Apple Product Security might not have identified it as a security issue.

HOBO BN MCP v1.1.0 released

Thu, 16 Apr 2026 00:00:00 +0000

I was too stingy to pay $1499+ for a commercial Binary Ninja license and a pile of tokens that MCP waste every time I say “Hello!” to Claude. So I wrote my own MCP-like solution from scratch. Despite its name, HOBO BN MCP is not an MCP (Model Context Protocol) server. Instead, HOBO BN MCP runs inside Binary Ninja as a plugin and uses a simple JSON-over-HTTP protocol.

Hello, world!

Thu, 09 Apr 2026 00:00:00 +0000

The traditional meaningless first post in almost any blog 🙂

Contact

Mon, 01 Jan 0001 00:00:00 +0000

You can find me online here:

Blog: https://altvi.st (you’re reading it now)
GitHub: github.com/altvist
Mastodon: @altvist@infosec.exchange
Mail:
- contact@altvi.st
- altvist@pm.me

Please keep in mind that none of the above is end-to-end encrypted.

Credits

Mon, 01 Jan 0001 00:00:00 +0000

Blog engine: Hugo static site generator. Apache 2.0 License.
Blog theme: Void Speach (developed by me from scratch specially for this blog). PD license.
Fonts:
- Source Sans 3 by Paul D. Hunt. SIL Open Font License.
- JetBrains Mono by the JetBrains Mono Project authors. SIL Open Font License.
Icons: free iconts from Font Awesome. CC BY 4.0 License.
Math rendering: KaTeX math typesetting library. MIT License.
Hosting:
- The site: GitHub Pages
- Fonts: Google Fonts
- KaTeX: jsDelivr
The cat avatar is a mene by unknown author

Disclaimer

Mon, 01 Jan 0001 00:00:00 +0000

This blog is dedicated to cybersecurity education and research. The content published here — including vulnerability analyses, reverse engineering walkthroughs, and proof-of-concept (PoC) demonstrations — is intended solely for educational and informational purposes.

Regarding PoC and vulnerability research

Any proof-of-concept code or technical demonstrations published on this blog are provided to illustrate how a specific vulnerability works — nothing more. They are not designed, optimized, or intended to be used as functional exploit tools. The goal is understanding, not exploitation.

Projects

Mon, 01 Jan 0001 00:00:00 +0000

Some pet projects I’m currently working on.

HOBO BN MCP

License: GNU GPL v3
Code: https://github.com/altvist/hobo-bn-mcp/
Description: Despite its name, HOBO BN MCP is not an MCP (Model Context Protocol) server. Instead, HOBO BN MCP runs inside Binary Ninja as a plugin and uses a simple JSON-over-HTTP protocol. Good for casual AI-assisted analysis of disassembled machine code. Please read the blog post and the documentation for details.

Thaumiel

License: distribution is not allowed, for internal use only
Description: An AI-powered cross-platform fuzzer designed specifically for finding vulnerabilities in parsers. Under development. А release is still a very, very long way off.