The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however by racing two threads, one of which closes the userclient (which frees the IOCommandGate) and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.
28d80c38ca1c4a122d94f26bd1b48d9e
Apple Security Advisory 2016-03-21-3 - tvOS 9.2 is now available and addresses code execution, memory corruption, and various other vulnerabilities.
7e9d1464c8e73a80b765ad62fe62ae79
Apple Security Advisory 2016-03-21-1 - iOS 9.3 is now available and addresses code execution, memory corruption, and various other vulnerabilities.
559ba3922fc3f4db59252d6094c03a23