CVE-2025-43253: Bypassing Launch Constraints on macOS
Quick(er) one today! As covered by Csaba Fitzl in his initial article on the topic and his later follow-up deep-dive, launch constraints are a feature on macOS that stops binaries from being launched unless certain conditions are met. To be a bit pedantic, the constraints in question here are referred to by Apple as lightweight code requirements (which is sometimes initialized as LWCR).
Lightweight code requirements are often expressed as a dictionary of conditions that should be true in order for the process to launch. As explained in the previously-linked article, these constraints can be either self constraints (such as an on-system-volume constraint on system processes to ensure they can't be copied to a temporary directory and launched) or parent constraints (such as an is-init-proc constraint on daemons to ensure that only the init proc can launch them).
These constraints are powerful tools that can essential mitigate entire classes of exploits. If a binary can only be launched under certain conditions, and those conditions are tight enough to where an attacker cannot gain a foothold, the binary becomes very difficult to exploit. Previously attacks, such as copying a system app with plugin support to a temporary directory, modifying it, and then giving it a malicious plugin, can be thoroughly prevented. They're a very good and important feature. So let's break them!
