CVE-2017-13868

MEDIUM

Apple <11.2, <10.13.2, <4.2, <11.2 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-13868. PoCs published by Brandon Azad, bazad.

AI-analyzed exploit summary This exploit leverages a kernel heap information leak in macOS High Sierra (CVE-2017-13868) by exploiting a race condition in the `ctl_ctloutput()` function, which fails to check the return value of `sooptcopyin()`. This allows uninitialized kernel heap data to be leaked to user space via a crafted `getsockopt()` call on a kernel control socket.

Description

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.

Exploits (2)

exploitdb WORKING POC
by Brandon Azad · clocalmacos
https://www.exploit-db.com/exploits/44234

This exploit leverages a kernel heap information leak in macOS High Sierra (CVE-2017-13868) by exploiting a race condition in the `ctl_ctloutput()` function, which fails to check the return value of `sooptcopyin()`. This allows uninitialized kernel heap data to be leaked to user space via a crafted `getsockopt()` call on a kernel control socket.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Racy
Target: macOS High Sierra (10.13, build 17A365)
Auth required
Prerequisites: root privileges · access to kernel control socket
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 27 stars
by bazad · poc
https://github.com/bazad/ctl_ctloutput-leak

This PoC exploits CVE-2017-13868, a kernel heap information leak in macOS High Sierra 10.13 and iOS 10.1.1, by leveraging a race condition in the `ctl_ctloutput` function to leak uninitialized kernel heap data to user space. The exploit requires root privileges and demonstrates the vulnerability by triggering a race between memory allocation and copy operations.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Racy
Target: macOS High Sierra 10.13.1 Beta 17B25c, iOS 10.1.1 14B100
Auth required
Prerequisites: root privileges · access to kernel control socket
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208331
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208327
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208325
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039966
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039953
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208334
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039952
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102100
Exploit, Third Party Advisory x_refsource_misc
https://bazad.github.io/2018/03/a-fun-xnu-infoleak/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/bazad/ctl_ctloutput-leak

Scores

CVSS v3 5.5
EPSS 0.0986
EPSS Percentile 93.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (4)
apple/iphone_os < 11.2
apple/mac_os_x < 10.13.2
apple/tvos < 11.2
apple/watchos < 4.2
Published Dec 25, 2017
Tracked Since Feb 18, 2026