CVE-2018-4087

HIGH

Apple tvOS < 11.2.5 - Memory Corruption in Core Bluetooth

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-4087. PoCs published by Zimperium zLabs Team, MTJailed, rani-i.

AI-analyzed exploit summary This PoC exploits CVE-2018-4087, a vulnerability in macOS's bluetoothd service, by sending crafted Mach messages to hijack sessions and inject callbacks. It demonstrates the ability to manipulate session tokens and execute arbitrary code via callback injection.

Description

An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Zimperium zLabs Team · dosmultiple
https://www.exploit-db.com/exploits/44215

This PoC exploits CVE-2018-4087, a vulnerability in macOS's bluetoothd service, by sending crafted Mach messages to hijack sessions and inject callbacks. It demonstrates the ability to manipulate session tokens and execute arbitrary code via callback injection.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: macOS bluetoothd (versions affected by CVE-2018-4087)
No auth needed
Prerequisites: Local access to a vulnerable macOS system · bluetoothd service running
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 82 stars
by MTJailed · poc
https://github.com/MTJailed/UnjailMe

This repository contains a proof-of-concept exploit for CVE-2018-4087, targeting iOS jailbreak detection bypass. The exploit leverages a vulnerability in the securityd service to achieve local privilege escalation (LPE).

Classification
Working Poc 80%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: iOS (specific version not explicitly stated)
No auth needed
Prerequisites: iOS device with jailbreak detection mechanisms
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 59 stars
by rani-i · poc
https://github.com/rani-i/bluetoothdPoC

This repository contains a writeup and references for CVE-2018-4087, a vulnerability in Apple's bluetoothd daemon that allows sandbox escape. It provides links to technical details and related research but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Apple bluetoothd daemon (iOS/macOS)
No auth needed
Prerequisites: Access to a vulnerable iOS/macOS device with Bluetooth enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 2 stars
by joedaguy · poc
https://github.com/joedaguy/Exploit11.2

This repository contains a README describing an incomplete exploit for CVE-2018-4087, targeting iOS 11.2.x for sandbox escapes and potential root access. It references collaboration with known researchers but lacks actual exploit code.

Classification
Writeup 80%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: iOS 11.2.x
No auth needed
Prerequisites: iOS 11.2.x device · Developer access to create an app
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208462
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44215/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040265
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102774
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208464
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208463

Scores

CVSS v3 7.8
EPSS 0.0714
EPSS Percentile 93.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (3)
apple/apple_tv < 11.2.5
apple/iphone_os < 11.2.5
apple/watchos < 4.2.2
Published Apr 03, 2018
Tracked Since Feb 18, 2026