CVE-2018-4185

HIGH

iPhone OS < 11.3, macOS < 10.13.4, tvOS < 11.3, watchOS < 4.3 - Information Disclosure via State Transition

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-4185. PoCs published by bazad.

AI-analyzed exploit summary This PoC exploits CVE-2018-4185, an iOS kernel information leak in iOS 11.2 due to the `__ARM_KERNEL_PROTECT__` feature inadvertently exposing the kernel function address `Lel0_synchronous_vector_64_long` via register `x18` when using `thread_get_state`.

Description

In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS before High Sierra 10.13.4, an information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.

Exploits (1)

nomisec WORKING POC 87 stars
by bazad · poc
https://github.com/bazad/x18-leak

This PoC exploits CVE-2018-4185, an iOS kernel information leak in iOS 11.2 due to the `__ARM_KERNEL_PROTECT__` feature inadvertently exposing the kernel function address `Lel0_synchronous_vector_64_long` via register `x18` when using `thread_get_state`.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apple iOS 11.2 (XNU kernel)
No auth needed
Prerequisites: iOS 11.2 device · ability to execute arbitrary code in userland
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208696
Vendor Advisory x_refsource_misc
https://support.apple.com/HT208692
Vendor Advisory x_refsource_misc
https://support.apple.com/HT208693
Vendor Advisory x_refsource_misc
https://support.apple.com/HT208698

Scores

CVSS v3 7.5
EPSS 0.0295
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (4)
apple/iphone_os < 11.3
apple/mac_os_x < 10.13.4
apple/tvos < 11.3
apple/watchos < 4.3
Published Jan 11, 2019
Tracked Since Feb 18, 2026