The kernel in Apple iOS before 6 dereferences invalid pointers during the handling of packet-filter data structures, which allows local users to gain privileges via a crafted program that makes packet-filter ioctl calls.