A Worm in the Apple: Wormable Zero-Click RCE in AirPlay Impacts Billions of Apple and IoT Devices
Avi Lumelsky, Uri Katz
BSidesSF 2026 · Day 2 · AMC IMAX
This talk, presented by Avi Lumelsky and Uri Katz from Oligo, unveiled a critical collection of vulnerabilities dubbed "Airborne," affecting Apple's widely used AirPlay protocol. The research uncovered 23 distinct vulnerabilities, 17 of which were assigned CVEs, that when chained together, allow for **zero-click remote code execution (RCE)**. Crucially, these exploits are **wormable**, capable of propagating across networks without user interaction, impacting not only billions of Apple devices but also a vast ecosystem of third-party Internet of Things (IoT) devices that integrate the AirPlay SDK.
AI review
Lumelsky and Katz drop a genuinely impressive research package: 17 CVEs, wormable zero-click RCE on macOS via a UAF chain in FairPlay, root on IoT devices via a stackless stack overflow, and a zero-click bypass hiding behind an internal AirPlay handshake flag. The work is original, the exploitation path is non-trivial, and the wormability angle through AWDL0 elevates this above a typical protocol audit.