Adding a data point to this thread. We're seeing the exact same stack chain — _os_unfair_lock_corruption_abort → _os_unfair_lock_lock_slow → CGFontStrikeGetSize → CGGlyphBuilderUnlockBitmaps → render_glyphs → CA::Transaction::commit → _UIApplicationFlushCATransaction — deterministically reproducing on iPhone 17 Pro Max + iOS 26.4.2 (build 23E261) during a SwiftUI Setup→Session view transition while CoreML models are warming and an AVAudioEngine is starting. Filed as FB22728399 on 2026-05-08, with 6 byte-identical .ips reports and a full sysdiagnose attached. A few additions to the existing reports here: Negative MallocStackLogging result. Crash reproduces with MallocStackLogging + MallocScribble + MallocPreScribble + MallocGuardEdges all simultaneously active. Zero malloc diagnostics fire. The corrupting write is not in user-managed heap. Co-occurring signal. 8× "AVAudioBuffer.mm:281 mBuffers[0].mDataByteSize (0) should be non-zero" warnings during the same model-compile window in which the lock corruption surfaces. Suggests the race involves audio session activation overlapping with text-rendering during view transition. Consumer-substitution evidence. A sibling variant of this Mandelbug surfaces on the return transition with cache_t::bad_cache aborting on _UILiquidLensView (iOS 26 Liquid Glass) during UISwitch reinstantiation. Replacing the UISwitch site with a pure-SwiftUI custom ToggleStyle (no UIViewRepresentable) suppresses the back-transition variant — but the forward-transition CGFontStrikeGetSize variant in this thread continues to fire. Both surfaces appear to be consumers of an upstream race in Apple-framework cache state, not consumers of each other. Cross-reference: github.com/mshibanami/iOS26Crash (FB20447562) for a related iOS 26 UISwitch / Liquid Glass family member, and Apple Developer Forums thread/822643 for the iOS 26.3.1+ drawHierarchy regression that DTS attributed to ImageIO security patches. Happy to share the .ips, sysdiagnose, and full reproducer if it helps triage.