pith. sign in

arxiv: 2606.00918 · v2 · pith:5YDVUSDMnew · submitted 2026-05-30 · 💻 cs.CR

One (Thread) Can Keep a (PRNG) Secret, but not Two

Pith reviewed 2026-06-28 18:19 UTC · model grok-4.3

classification 💻 cs.CR
keywords IPv6 fragment IDPRNGrace conditioncryptanalysisfragment spoofingXNU kernelnetwork attackoff-path attack
0
0 comments X

The pith

XNU's IPv6 fragment ID PRNG can be fully recovered by exploiting a race condition between threads.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that a race condition in the XNU kernel's PRNG for IPv6 fragment IDs lets an attacker collect enough outputs to recover the full internal state through cryptanalysis. Once the state is known, future IDs can be predicted and used to spoof fragments. This enables an off-path attacker to alter parts of UDP datagrams and TCP segments in flight. Demonstrated cases include modifying files written over NFS and changing HTTP requests. The work led to CVE-2024-27823 and a patch across Apple products.

Core claim

The central claim is that the XNU IPv6 Fragment ID PRNG contains a race-condition vulnerability that permits an attacker to obtain sufficient observable outputs to recover the full internal state via cryptanalysis, predict fragment IDs, and thereby carry out IPv6 fragment spoofing attacks that partially manipulate UDP datagrams and TCP segments.

What carries the argument

The race condition in the multi-threaded PRNG that leaks enough outputs for state reconstruction.

If this is right

  • Predicted fragment IDs enable IPv6 fragment spoofing attacks.
  • An off-path attacker can modify UDP datagrams such as NFS writes.
  • An off-path attacker can modify TCP segments such as HTTP requests.
  • The vulnerability affects all XNU-based products and received CVE-2024-27823.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Other multi-threaded PRNG designs in kernels could be susceptible to similar state-recovery attacks.
  • Fragment ID prediction may support additional off-path network manipulations beyond the two examples shown.
  • Synchronizing PRNG access more strictly would block the output collection step required for the attack.

Load-bearing premise

The XNU IPv6 Fragment ID PRNG implementation contains a race condition that permits an attacker to obtain sufficient observable outputs to recover the full internal state via cryptanalysis.

What would settle it

A test showing that outputs collected during the race condition still leave the PRNG state underdetermined or prevent accurate prediction of subsequent fragment IDs.

Figures

Figures reproduced from arXiv: 2606.00918 by Amit Klein, Benny Pinkas, Ehood Porat.

Figure 1
Figure 1. Figure 1: IPv6 Fragmentation of an NFS WRITE Call 1.5 IPv6 Fragmentation Attacks at Large The NFS WRITE call spoofing attack we present is a specific example of a generic IPv6 fragment spoofing attack, the latter being so severe an issue that there is, in fact, an RFC called “Security Implications of Predictable Fragment Identification Values” [24] dedicated to discussing IPv6 fragmentation attacks. Hence, we consid… view at source ↗
Figure 2
Figure 2. Figure 2: Attack Entities 3.1.2 Attack Requirements Attacker device. • The attacker device must be able to send/receive packets to/from the macOS host and the server. In addition, the attacker device must be able to send/receive packets to/from the macOS host at a rate of ≈ 1Gbps in order to trigger the race condition. This condition can be fulfilled by the target device residing on a corporate/ISP network that offe… view at source ↗
Figure 3
Figure 3. Figure 3: Attack flow. The spoofed 2nd fragments (we send more than four fragments in order to sync with the current state of the PRNG; in later ex￾periments we used a better approach as described in subsubsection 3.4.5 ) ○1 , among them the spoofed 2nd fragment ○2 with the correct fragment ID. The macOS host (NFS client) request is fragmented into ○3 (which contains the au￾thentication data ○6 ) and ○4 . The NFS se… view at source ↗
Figure 4
Figure 4. Figure 4: Side-by-side file comparison for the target of the attack. The left [PITH_FULL_IMAGE:figures/full_fig_p026_4.png] view at source ↗
read the original abstract

We present a novel, practical attack on the IPv6 Fragment ID generation algorithm of XNU, which is the kernel used by Apple products such as macOS and iOS. This attack exploits a race-condition vulnerability in the algorithm's pseudorandom number generator (PRNG) to cryptanalytically break, learn the internal state of the generator, and consequently predict fragment IDs, which, in turn, facilitates an IPv6 fragment spoofing attack. As far as we know, this is the first cryptanalytic attack that is based on exploiting race-conditions. With fragment spoofing, it is possible to partially manipulate UDP datagrams and TCP segments. We showcase a new type of attack on NFS (UDP) where an off-path attacker modifies a file as it is written, and an attack on HTTP (TCP) where an off-path attacker modifies an HTTP request. Apple assigned this vulnerability the CVE identifier CVE-2024-27823 and patched all its XNU-based products against the attack.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript presents a practical attack on the IPv6 Fragment ID PRNG in Apple's XNU kernel (used in macOS and iOS). It exploits a race condition to obtain multiple observable outputs, recover the PRNG internal state via cryptanalysis, predict fragment IDs, and enable off-path IPv6 fragment spoofing. Demonstrations include modification of NFS (UDP) file writes and HTTP (TCP) requests by an off-path attacker. Apple assigned CVE-2024-27823 to the vulnerability.

Significance. If the empirical attack holds, the work is significant for introducing the first cryptanalytic attack based on race conditions in a PRNG, with direct applicability to widely deployed Apple systems and real-world protocol manipulation. The independent CVE assignment by Apple provides external confirmation of the vulnerability's existence and exploitability.

major comments (1)
  1. [Abstract, §3] Abstract and §3 (attack description): the central claim that the race condition supplies sufficient observable outputs for full state recovery is asserted without any reported implementation details, timing measurements, sample outputs, or verification steps that would allow independent evaluation of the cryptanalysis success.
minor comments (1)
  1. The manuscript would benefit from explicit pseudocode or a diagram of the PRNG update under concurrent access to clarify the race window.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the positive assessment of the work's significance and for noting the external validation provided by CVE-2024-27823. We respond to the single major comment below.

read point-by-point responses
  1. Referee: [Abstract, §3] Abstract and §3 (attack description): the central claim that the race condition supplies sufficient observable outputs for full state recovery is asserted without any reported implementation details, timing measurements, sample outputs, or verification steps that would allow independent evaluation of the cryptanalysis success.

    Authors: We agree that the current presentation in the abstract and §3 would benefit from additional concrete details to support independent verification of the race-condition exploitation and subsequent state recovery. While the manuscript describes the overall attack flow and provides end-to-end demonstrations on NFS and HTTP, it does not include the requested low-level implementation specifics, timing measurements, sample outputs, or verification steps for the race condition itself. In the revised manuscript we will expand §3 to incorporate these elements. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper reports an empirical attack on an existing PRNG implementation by exploiting a documented race condition to recover state and predict outputs. No derivation chain, fitted parameters, predictions, or self-citations are present that reduce the central claim to its own inputs by construction. The argument relies on observable behavior and external confirmation via CVE assignment rather than internal mathematical closure.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an empirical security attack paper; no free parameters, mathematical axioms, or invented entities are introduced or required by the central claim.

pith-pipeline@v0.9.1-grok · 5703 in / 984 out tokens · 23726 ms · 2026-06-28T18:19:09.431019+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

56 extracted references · 13 canonical work pages · 1 internal anchor

  1. [1]

    URL:https: //techbrainblog.com/2022/08/26/nfsv3-datastore-is-much- faster-than-nfsv4/

    nfsv3 datastore is much faster than nfsv4, 2022. URL:https: //techbrainblog.com/2022/08/26/nfsv3-datastore-is-much- faster-than-nfsv4/

  2. [2]

    URL:https://techbrainblog.com/2022/10/20/datastore-with-nfs4- slowness-issue-and-netappvmware-findings/

    Datastore with nfs4 slowness issue and netapp/vmware findings., 2022. URL:https://techbrainblog.com/2022/10/20/datastore-with-nfs4- slowness-issue-and-netappvmware-findings/

  3. [3]

    Abu-Ghazaleh

    Fatemah Alharbi, Jie Chang, Yuchen Zhou, Feng Qian, Zhiyun Qian, and Nael B. Abu-Ghazaleh. Collaborative client-side dns cache poisoning at- tack.IEEE INFOCOM 2019 - IEEE Conference on Computer Communi- cations, pages 1153–1161, 2019

  4. [4]

    Network File System (NFS) version 4 Protocol

    Carl Beame, Robert Thurlow, Brent Callaghan, David Robinson, David Noveck, Mike Eisler, and Spencer Shepler. Network File System (NFS) version 4 Protocol. RFC 3530, April 2003. URL:https://www.rfc- editor.org/info/rfc3530,doi:10.17487/RFC3530

  5. [5]

    Bellovin

    Steven M. Bellovin. A technique for counting natted hosts. InInternational Memory Workshop, 2002

  6. [6]

    Luckie, and Justin P

    Robert Beverly, William Brinkmeyer, Matthew J. Luckie, and Justin P. Rohrer. Ipv6 alias resolution via induced fragmentation. InPassive and Active Network Measurement Conference, 2013

  7. [7]

    Domain validation++ for mitm-resilient pki

    Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, and Michael Waidner. Domain validation++ for mitm-resilient pki. InProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, page 2060–2076, 10 2018.doi:10.1145/3243734.3243790

  8. [8]

    Dao, Srikanth V

    Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan A. Dao, Srikanth V. Krish- namurthy, and Lisa M. Marvel. Off-path tcp exploits: Global rate limit considered dangerous. InUSENIX Security Symposium, 2016

  9. [9]

    Dao, Srikanth V

    Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan A. Dao, Srikanth V. Krish- namurthy, and Lisa M. Marvel. Off-path tcp exploits of the challenge ack global rate limit.IEEE/ACM Transactions on Networking, 26:765–778, 2018

  10. [10]

    Off-path tcp exploit: How wireless routers can jeopardize your secrets

    Weiteng Chen and Zhiyun Qian. Off-path tcp exploit: How wireless routers can jeopardize your secrets. InUSENIX Security Symposium, 2018

  11. [11]

    Covert communications despite traffic data retention

    George Danezis. Covert communications despite traffic data retention. In Security Protocols Workshop, 2008

  12. [12]

    Nfs security in both trusted and untrusted environments,

    Jakub Dlugolecki. Nfs security in both trusted and untrusted environments,

  13. [13]

    URL:https://www.giac.org/paper/gsec/8216/nfs-security- trusted-untrusted-environments/112913. 30

  14. [14]

    Dns flag day 2020, 2020

    DNS Flag Day. Dns flag day 2020, 2020. [Accessed: April 23, 2023]. URL: https://www.dnsflagday.net/2020/

  15. [15]

    NFS Version 2 and Version 3 Security Issues and the NFS Protocol’s Use of RPCSEC GSS and Kerberos V5, June 1999

    Mike Eisler. NFS Version 2 and Version 3 Security Issues and the NFS Protocol’s Use of RPCSEC GSS and Kerberos V5, June 1999. URL:https: //www.rfc-editor.org/info/rfc2623,doi:10.17487/RFC2623

  16. [16]

    RPCSEC GSS Protocol Specifi- cation, 1997

    Mike Eisler, Lin Ling, and Alex Chiu. RPCSEC GSS Protocol Specifi- cation, 1997. URL:https://www.rfc-editor.org/info/rfc2203,doi: 10.17487/RFC2203

  17. [17]

    Off-path tcp ex- ploits of the mixed ipid assignment.Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020

    Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu. Off-path tcp ex- ploits of the mixed ipid assignment.Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020

  18. [18]

    Off-path tcp hijacking attacks via the side channel of downgraded ipid.IEEE/ACM Transactions on Networking, 30:409–422, 2022

    Xuewei Feng, Qi Li, Kun Sun, Chuanpu Fu, and Ke Xu. Off-path tcp hijacking attacks via the side channel of downgraded ipid.IEEE/ACM Transactions on Networking, 30:409–422, 2022

  19. [19]

    Pmtud is not panacea: Revisiting ip fragmentation attacks against tcp.ndss, 01 2022.doi: 10.14722/ndss.2022.24381

    Xuewei Feng, qi li, Kun Sun, Ke Xu, Baojun Liu, Xiaofeng Zheng, Qiushi Yang, Haixin Duan, and Zhiyun Qian. Pmtud is not panacea: Revisiting ip fragmentation attacks against tcp.ndss, 01 2022.doi: 10.14722/ndss.2022.24381

  20. [20]

    Off-Path Attacking the Web

    Yossi Gilad and Amir Herzberg. Off-path attacking the web.ArXiv, abs/1204.6623, 2012

  21. [21]

    Fragmentation considered vulnera- ble.ACM Transactions on Information and System Security (TISSEC), 15:16:1–16:31, 04 2013.doi:10.1145/2445566.2445568

    Yossi Gilad and Amir Herzberg. Fragmentation considered vulnera- ble.ACM Transactions on Information and System Security (TISSEC), 15:16:1–16:31, 04 2013.doi:10.1145/2445566.2445568

  22. [22]

    When tolerance causes weakness: the case of injection-friendly browsers.Proceedings of the 22nd international conference on World Wide Web, 2013

    Yossi Gilad and Amir Herzberg. When tolerance causes weakness: the case of injection-friendly browsers.Proceedings of the 22nd international conference on World Wide Web, 2013

  23. [23]

    Off-path tcp injection attacks.ACM Trans

    Yossi Gilad and Amir Herzberg. Off-path tcp injection attacks.ACM Trans. Inf. Syst. Secur., 16:13, 2014

  24. [24]

    Off-path hacking: The illusion of challenge-response authentication.IEEE Security & Privacy, 12:68–77, 2013

    Yossi Gilad, Amir Herzberg, and Haya Shulman. Off-path hacking: The illusion of challenge-response authentication.IEEE Security & Privacy, 12:68–77, 2013

  25. [25]

    Security Implications of Predictable Fragment Identi- fication Values

    Fernando Gont. Security Implications of Predictable Fragment Identi- fication Values. RFC 7739, February 2016. URL:https://www.rfc- editor.org/info/rfc7739,doi:10.17487/RFC7739

  26. [26]

    Dns poisoning via port exhaustion,

    Roee Hay and Yair Amit. Dns poisoning via port exhaustion,

  27. [27]

    URL:https://www.dc414.org/wp-content/uploads/2011/01/ dnsp port exhaustion.pdf. 31

  28. [28]

    Weak randomness in android’s dns resolver, 2012

    Roee Hay and Roi Saltzma. Weak randomness in android’s dns resolver, 2012. URL:https://blog.watchfire.com/files/ androiddnsweakprng.pdf

  29. [29]

    Network File System (NFS) Version 4 Protocol

    Thomas Haynes and David Noveck. Network File System (NFS) Version 4 Protocol. RFC 7530, March 2015. URL:https://www.rfc-editor.org/ info/rfc7530,doi:10.17487/RFC7530

  30. [30]

    Fragmentation considered poisonous, or: One-domain-to-rule-them-all.org.2013 IEEE Conference on Commu- nications and Network Security (CNS), pages 224–232, 2013

    Amir Herzberg and Haya Shulman. Fragmentation considered poisonous, or: One-domain-to-rule-them-all.org.2013 IEEE Conference on Commu- nications and Network Security (CNS), pages 224–232, 2013

  31. [31]

    mount nfs.8.auto.html

    Apple Inc. mount nfs.8.auto.html. URL:https://opensource.apple.com/ source/NFS/NFS-63/mount nfs/mount nfs.8.auto.html

  32. [32]

    nfs gss.h.auto.html

    Apple Inc. nfs gss.h.auto.html. URL:https://opensource.apple.com/ source/xnu/xnu-7195.50.7.100.1/bsd/nfs/nfs gss.h.auto.html

  33. [33]

    OpenBSD DNS Cache Poisoning and Mul- tiple O/S Predictable IP ID Vulnerability, 2007

    Amit Klein. OpenBSD DNS Cache Poisoning and Mul- tiple O/S Predictable IP ID Vulnerability, 2007. URL: https://dl.packetstormsecurity.net/papers/attack/ OpenBSD DNS Cache Poisoning -and Multiple OS Predictable - IP ID Vulnerability.pdf

  34. [34]

    Cross layer attacks and how to use them (for DNS cache poisoning, device tracking and more).CoRR, abs/2012.07432, 2020

    Amit Klein. Cross layer attacks and how to use them (for DNS cache poisoning, device tracking and more).CoRR, abs/2012.07432, 2020. URL: https://arxiv.org/abs/2012.07432,arXiv:2012.07432

  35. [35]

    Subverting stateful firewalls with protocol states (extended version).CoRR, abs/2112.09604, 2021

    Amit Klein. Subverting stateful firewalls with protocol states (extended version).CoRR, abs/2112.09604, 2021. URL:https://arxiv.org/abs/ 2112.09604,arXiv:2112.09604

  36. [36]

    From ip id to device id and kaslr bypass (extended version)

    Amit Klein and Benny Pinkas. From ip id to device id and kaslr bypass (extended version). InUSENIX Security Symposium, 2019

  37. [37]

    Security audit of nfsv4 implementation on gnu/linux, 09 2006

    Jonathan Lyard, jonathan Net, and Tony Reix. Security audit of nfsv4 implementation on gnu/linux, 09 2006

  38. [38]

    Benchmarking nfsv3 vs

    Ben Martin. Benchmarking nfsv3 vs. nfsv4 file operation performance,

  39. [39]

    URL:https://www.linux.com/news/benchmarking-nfsv3-vs- nfsv4-file-operation-performance/

  40. [40]

    Network File System (NFS) Version 4 Mi- nor Version 1 Protocol, 2020

    David Noveck and Chuck Lever. Network File System (NFS) Version 4 Mi- nor Version 1 Protocol, 2020. URL:https://www.rfc-editor.org/info/ rfc8881,doi:10.17487/RFC8881

  41. [41]

    Dns-dns: Dns-based de-nat scheme

    Liran Orevi, Amir Herzberg, and Haim Zlatokrilov. Dns-dns: Dns-based de-nat scheme. InCryptology and Network Security, 2018

  42. [42]

    Randomized ports - remote dns cache poisoning, 2008

    E Polyakov. Randomized ports - remote dns cache poisoning, 2008. 32

  43. [43]

    Morley Mao

    Zhiyun Qian and Z. Morley Mao. Off-path tcp sequence number inference attack - how firewall middleboxes reduce security.2012 IEEE Symposium on Security and Privacy, pages 347–361, 2012

  44. [44]

    Morley Mao, and Yinglian Xie

    Zhiyun Qian, Z. Morley Mao, and Yinglian Xie. Collaborative tcp sequence number inference attack: how to crack sequence number under a second. Proceedings of the 2012 ACM conference on Computer and communications security, 2012

  45. [45]

    new tcp scan method, 1998

    Salvatore Sanfilippo. new tcp scan method, 1998. URL:https:// seclists.org/bugtraq/1998/Dec/79

  46. [46]

    RPC: Remote Procedure Call Protocol Specification Ver- sion 2

    Robert Thurlow. RPC: Remote Procedure Call Protocol Specification Ver- sion 2. RFC 5531, May 2009. URL:https://www.rfc-editor.org/info/ rfc5531,doi:10.17487/RFC5531

  47. [47]

    ”FIRST-TRY” DNS CACHE POISON- ING WITH IPV4 AND IPV6 FRAGMENTATION., March 2020

    Palmer Travis (Travco). ”FIRST-TRY” DNS CACHE POISON- ING WITH IPV4 AND IPV6 FRAGMENTATION., March 2020. URL:https://wildwesthackinfest.com/blog/first-try-dns-cache- poisoning-on-ipv4-and-ipv6-travis-palmer/

  48. [48]

    NSFv3 needs to die, so NSFv4 may live — loadbalancer.org,

    Aaron West. NSFv3 needs to die, so NSFv4 may live — loadbalancer.org,

  49. [49]

    URL:https://www.loadbalancer.org/ blog/nfsv3-vs-nfsv4/

    [Accessed 23-Apr-2023]. URL:https://www.loadbalancer.org/ blog/nfsv3-vs-nfsv4/

  50. [50]

    Poison over troubled forwarders: A cache poisoning attack targeting dns forwarding devices

    Xiaofeng Zheng, Chaoyi Lu, Jian Peng, Qiushi Yang, Dongjie Zhou, Baojun Liu, Keyu Man, Shuang Hao, Haixin Duan, and Zhiyun Qian. Poison over troubled forwarders: A cache poisoning attack targeting dns forwarding devices. InUSENIX Security Symposium, 2020. 33 A Cryptanalysis Overview A.1 Phase 2 – Extractingg(and three least significant bits ofs 2) From th...

  51. [51]

    As we show below, this applies to≈71% of the keys, while the remaining≈29% of keys have no pairs at all

    This assumes that the key (s 2) does have 20 pairs. As we show below, this applies to≈71% of the keys, while the remaining≈29% of keys have no pairs at all. So the overall success probability of this technique for a given random seed is ≈ 1

  52. [52]

    a tta ck er code here , running before main \ n

    On average, therefore, it would take 3·1056 = 3168 minutes (2.2 days) for the attack to succeed, and throughout this entire time the attacker must force the target device to send data at a 1Gbit/s rate. As such, this attack is impractical. B.2.3 Pairs per key In order for a pair (i, i+N−1) to be “valid” in a keys 2, the following must hold:i⊕s 2 < Mand (i...

  53. [53]

    Explicit Congestion Notification

    The last ID. Since each ID consists of four bytes, assumingL= 600 and an upper bound ofP= 3000, we have a total of (3000×3) + (600 + 1) + 1 = 9602 IDs which amounts to 38408 bytes (roughly 38.5KB). In our experiments, we send more data by including the duplicateY(i.e.XYZYinstead ofXYZ) and the sender index of each fragment (four bytes each). Additionally,...

  54. [54]

    attacker

    Attacker – The attacker in the experiment is comprised of two logically separate parts, which on our setup are also physically separated. (a) Frontend – The attacker device is connected to the switched-LAN, henceforth we will use the term “attacker” or “attacker device” to denote the frontend. (b) Backend – The attacker’s cryptanalysis machine on Azure, h...

  55. [55]

    fragmentation service

    macOS host (HTTP client) – A Macbook connected to the same switched- LAN as the attacker device. The macOS host runs an echo server listening on UDP port 3333 as a model of the “fragmentation service”

  56. [56]

    DANGER TCP IS NOT SAFE

    HTTP server – A second Macbook (the operating system of the server is immaterial to the attack, in our case we happened to use another Macbook for the server) connected to the same switched-LAN as the attacker device. The HTTP service listens on TCP port 8000. Steps 2 - 5 The same as the NFS attack. Step 6: Spoofing In this step, in contrast to the NFS, t...