CVE-2018-4240

MEDIUM

iPhone OS < 11.4, macOS < 10.13.5, tvOS < 11.4, watchOS < 4.3.1 - Denial of Service via Crafted Message

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-4240. PoCs published by Sriram.

AI-analyzed exploit summary This PoC generates a text file containing a payload with RLM (Right-to-Left Mark) characters that, when sent via WhatsApp and clicked by the victim, causes a denial of service on macOS and iOS devices. The exploit leverages a vulnerability in text rendering to crash the target system.

Description

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Messages" component. It allows remote attackers to cause a denial of service via a crafted message.

Exploits (1)

exploitdb WORKING POC

by Sriram · pythondosmacos

https://www.exploit-db.com/exploits/45391

View Code ZIP pw:eip

This PoC generates a text file containing a payload with RLM (Right-to-Left Mark) characters that, when sent via WhatsApp and clicked by the victim, causes a denial of service on macOS and iOS devices. The exploit leverages a vulnerability in text rendering to crash the target system.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Apple macOS 10.13.4, iOS 11.3, tvOS 11.3, watchOS 4.3.0

No auth needed

Prerequisites: Python to generate the payload file · WhatsApp or similar messaging platform to deliver the payload

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT208850

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT208851

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041027

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT208848

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT208849

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45391/

Scores

CVSS v3 6.5

EPSS 0.0699

EPSS Percentile 93.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-20

Status published

Products (4)

apple/iphone_os < 11.4

apple/mac_os_x < 10.13.5

apple/tvos < 11.4

apple/watchos < 4.3.1

Published Jun 08, 2018

Tracked Since Feb 18, 2026