[michaelt]

In ~2020, it was:

Attacker sends an imessage containing a PDF

imessage, like most modern messaging apps, displays a preview - which means running the PDF loader.

The PDF loader has support for the obsolete-but-part-of-the-pdf-standard image codec 'JBIG2'

Apple's JBIG2 codec has an exploitable bug, giving the attacker remote code execution on the device.

This exploit was purchased by NSO, who sold it to a bunch of middle eastern dictatorships who promptly used it on journalists.

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...

[wat10000]

None of that ran in the kernel. Everything happens within a single process up until the sandbox escape, which isn't even covered in your article. The article's sequel* goes into detail about that part, which involves subverting a more privileged process by exploiting logic errors to get it to execute code. The only involvement by the kernel is passing IPC messages back and forth.

* https://googleprojectzero.blogspot.com/2022/03/forcedentry-s...