The mach voucher subsystem fails to correctly handle spoofed no-more-senders messages. ipc_kobject_server will be called for mach messages sent to kernel-owned mach ports. If the msgh_id of the message can't be found in the mig_buckets hash table then this function calls ipc_kobject_notify. Note that this is the same code path which would be taken for a real no-more-senders notification message but there's nothing stopping user-space from also just sending one.
1042bf509240fef0a9ac35c0d9ae68166b05f9869f97a04609c7cfaf25873502
Apple Security Advisory 2015-12-08-4 - watchOS 2.1 is now available and addresses 30 security issues.
35e6c7749d96dbf64e523cf50d19919b547c725da825f7a56fc848495736ffe5
Apple Security Advisory 2015-12-08-2 - tvOS 9.1 is now available and addresses 48 security issues.
86a1c0b0064c65e2ba9f9e35f71969a6953435935620d00089199e7d216c3ef8
Apple Security Advisory 2015-12-08-3 - OS X El Capitan 10.11.2 and Security Update 2015-008 is now available and addresses 54 vulnerabilities.
78e2a97a16b2ff481c45ddbbba9833cf2d0f52000284853fc1795caaaf5b2c92
Apple Security Advisory 2015-12-08-1 - iOS 9.2 is now available and addresses at least 50 security vulnerabilities.
e95c0155e9a3059625dc58d7286d266927a20daeeadb4db49bcc96e0e4c2eafc