In flow_divert_pcb_init_internal, a flow divert PCB is created and added to the desired socket below:

    fd_cb = flow_divert_pcb_create(so); // 1
    if (fd_cb != NULL) {
        so->so_fd_pcb = fd_cb;
        so->so_flags |= SOF_FLOW_DIVERT;
        // ...

        error = flow_divert_pcb_insert(fd_cb, group_unit); // 2
        if (error) {
            so->so_fd_pcb = NULL;
            so->so_flags &= ~SOF_FLOW_DIVERT;
            FDRELEASE(fd_cb); // 3
        } else {

flow_divert_pcb_create (1) creates a flow divert PCB and initializes it with a refcount of 1 to represent the socket's ownership. flow_divert_pcb_init_internal has a reference to the PCB on the stack with variable fd_cb that is otherwise unaccounted for with the assumption that fd_cb should be alive for the duration of the entire function thus the incref/decref can be elided. But flow_divert_pcb_insert (2) drops the socket lock, so another thread can call disconnectx on the socket, deleting the PCB from the socket after dropping its only reference. This leaves the fd_cb pointer dangling pointing to freed memory. If flow_divert_pcb_insert fails, as in this testcase (no groups available), the FD_RELEASE (3) call will (among other possible outcomes) modify a freed buffer.

The syscalls involved are available inside the app sandbox on iOS 15.4.

This bug was patched in iOS 15.5 (All credit goes to @NedWilliamson for this amazing bug.)