- The hacker creates an arbitrary fake port and then releases it. The user-mode port still points to the port address that has just been released.
- The hacker then performs a cross-zone attack to fill the fake port.
- Port address is now readable leading to a heap address leak.
- The hacker now accesses base address of the kernel.
- By filling the fake task port, the hacker achieves kernel read-write permissions.
The jailbreak process of to make this possible is extremely hard. It must need to have another vulnerability present to be used. This is important and may be able to be used for a jailbreak for iOS 10.3 - 11.1.2