← Paper hub Chapter 1 / 6 Introduction
Section I

Introduction

Why zero-click chains matter and what the 2025 case reveals.

In August 2025, Apple and WhatsApp released emergency advisories for CVE-2025-43300 and CVE-2025-55177, a pair of vulnerabilities that, chained together, had already been used in the wild to compromise the mobile devices of fewer than 200 users over the preceding 90 days [1, 2]. Independent reporting identified many of the targets as journalists, human-rights defenders, and civil-society figures [3]. The chain required no clicks, no downloads, and no error on the victim’s part: receiving a WhatsApp message was sufficient. Both CVEs were added within weeks to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog [4], mandating remediation across federal networks.

Zero-click chains of this shape have become the defining offensive capability of commercial spyware. Unlike phishing, which relies on social engineering, and unlike drive-by compromise, which relies on the victim visiting an attacker-controlled URL, a zero-click chain weaponizes the infrastructure that modern mobile operating systems use to render inbound media. Knowledge of the victim’s phone number is sufficient; no further action on the victim’s part is required. The asymmetry of this attack model (bounded defender effort against unbounded attacker opportunity) makes zero-click delivery the most consequential primitive in targeted surveillance today [5].

What makes the 2025 chain technically striking is its genealogy. Both vulnerabilities fire in code written in C, a language first standardized in 1989 whose memory model (Section II) provides no enforcement of bounds, type safety, or lifetimes. The exploitation stage is a heap out-of-bounds write in an image parser, a bug class whose stack-based ancestor was first formalized by Aleph One in 1996 [6] and whose heap-resident variant has ranked second in the MITRE CWE Top 25 in 2024 (score 45.20, 18 entries in the CISA Known Exploited Vulnerabilities catalog) [7, 8] and remained the highest-ranked memory-corruption class in 2025 [9]. Industry-wide, memory-safety bugs account for approximately 70 % of all CVEs patched annually by major software vendors - a figure confirmed independently by Microsoft’s Security Response Center across twelve years of patch analysis [10] and by Google’s Chromium team across hundreds of high-severity browser bugs [11]. Despite repeated calls from CISA and the U.S. Office of the National Cyber Director for migration to memory-safe languages [12], the media-parsing frameworks at the core of every major mobile platform remain overwhelmingly C and C++. The result is a structural mismatch: a decades-old memory model is entrusted with the first parsing step of every image delivered to every networked device.

This is not the first time the pattern has produced high-profile civilian casualties. In 2021, Citizen Lab and Google Project Zero reverse-engineered FORCEDENTRY (CVE-2021-30860), an NSO Group Pegasus zero-click chain with nearly identical architecture: iMessage delivery, CoreGraphics image parsing, heap corruption [13, 14]. Four years later, the 2025 WhatsApp–ImageIO chain reproduces the same three-step pattern in a different ecosystem, messenger, image format, and parser, with the same outcome. This cross-platform recurrence is the central empirical observation motivating this study. As this manuscript was being finalized, two further write-primitive Linux kernel root exploits were disclosed in quick succession: Copy Fail (CVE-2026-31431, April 2026, AF_ALG crypto subsystem) [15] and DirtyFrag (CVE-2026-43284, May 2026, xfrm-ESP networking) [16] - providing real-time evidence that the broader write-primitive exploit class documented in Section II-F is ongoing and not confined to the iOS ecosystem.

Research question. This paper asks: how do decades-old memory-corruption patterns in C enable modern zero-click exploit chains, and what does the 2025 WhatsApp–ImageIO attack reveal about the persistence of these vulnerabilities in industry-critical software?

Contributions. This paper makes three contributions:

  1. A reconstruction of the 2025 zero-click chain from public primary sources (vendor advisories, patch diffs, and independent reverse engineering [17]), covering the delivery primitive (CVE-2025-55177, CWE-863) and the exploitation primitive (CVE-2025-43300, CWE-787), and showing how the two stages compose into a complete, interaction-free compromise.

  2. A pedagogical bridge from the Exploit Education Phoenix heap-two exercise to CVE-2025-43300, demonstrating that the core mechanic (a heap buffer overflowed into adjacent function-pointer-bearing data) is the same primitive at two drastically different complexity levels. The bridge is intended for readers whose prior exposure to memory corruption stops at textbook stack smashing.

  3. A structural argument that the FORCEDENTRY  WhatsApp–ImageIO lineage, spanning four years and two independent ecosystems, is evidence that the current mitigation stack (ASLR, sandboxing, pointer authentication) has not closed the fundamental attack class; it only raised its price.

Scope and non-goals. This paper does not present a new exploit, a new vulnerability, or proprietary reverse engineering. All technical material is drawn from publicly disclosed sources. The Phoenix heap-two exercise is treated as a controlled pedagogical artifact, not a substitute for the real chain.

Roadmap. Section II introduces the C memory model, the two CWE classes at play, the iOS media pipeline, the FORCEDENTRY precedent, and the decade-long recurrence of write-primitive exploits across iOS and Linux. Section III describes our CVE selection criteria, analysis framework, and Phoenix setup. Section IV is the core technical analysis of the 2025 chain. Section V reflects on why the current mitigation stack fails to close this attack class. Section VI concludes.

References

  1. [1] WhatsApp / Meta, “WhatsApp Security Advisory: CVE-2025-55177”, Official advisory, 2025.
  2. [2] Apple Inc., “About the security content of iOS~18.6.2 and iPadOS~18.6.2”, Official security advisory, 2025.
  3. [3] Lookout Threat Intelligence, “A vulnerability in WhatsApp for iOS and Mac: CVE-2025-55177”, Threat intelligence report, 2025.
  4. [4] CISA (Cybersecurity and Infrastructure Security Agency), “Known Exploited Vulnerabilities Catalog”, Online catalog, 2025.
  5. [5] Roy, Anurag, “Technical Research Report: Advanced iPhone Zero-Click Exploits and Spyware (2019--2025)”, Research report, 2025.
  6. [6] Aleph One, “Smashing the Stack for Fun and Profit”, Phrack Magazine, 1996.
  7. [7] MITRE Corporation, “2024 CWE Top 25 Most Dangerous Software Weaknesses”, Online database, 2024.
  8. [8] MITRE Corporation, “CWE-787: Out-of-bounds Write”, Online database, 2024.
  9. [9] MITRE Corporation, “2025 CWE Top 25 Most Dangerous Software Weaknesses”, Online database, 2025.
  10. [10] Thomas, Gavin, “A Proactive Approach to More Secure Code”, Microsoft Security Response Center blog, 2019.
  11. [11] Google Chrome Security Team, “Memory Safety -- Chromium”, Chromium project documentation, 2024.
  12. [12] CISA, “The Urgent Need for Memory Safety in Software Products”, Policy document, 2023.
  13. [13] Citizen Lab, “FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild”, Research report, 2021.
  14. [14] Google Project Zero, “A Deep Dive into an NSO Zero-Click iMessage Exploit: Remote Code Execution”, Research blog, 2021.
  15. [15] Microsoft Threat Intelligence, “CVE-2026-31431: Copy Fail Vulnerability Enables Linux Root Privilege Escalation”, Microsoft Security Blog, 2026.
  16. [16] Wiz Research, “DirtyFrag: Linux Kernel Local Privilege Escalation via ESP and RxRPC (CVE-2026-43284)”, Wiz security blog, 2026.
  17. [17] Quarkslab, “Reverse Engineering of Apple's iOS 0-click CVE-2025-43300: 2 Bytes That Make Size Matter”, Research blog, 2025.