CVE-2018-4241

HIGH

Apple tvOS < 11.4 - Kernel Buffer Overflow in mptcp_usr_connectx

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-4241. PoCs published by Google Security Research, 0neday.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in the mptcp_usr_connectx function in MacOS and iOS 11, where improper handling of sockaddrs (non-AF_INET/AF_INET6) leads to a controlled pointer overwrite and potential kernel memory corruption. The PoC triggers the issue by manipulating sa_len to overwrite the mpte_itfinfo field, resulting in a kfree of a controlled pointer when the socket is closed.

Description

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Kernel" component. A buffer overflow in mptcp_usr_connectx allows attackers to execute arbitrary code in a privileged context via a crafted app.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdosmultiple
https://www.exploit-db.com/exploits/44849

This exploit targets a buffer overflow vulnerability in the mptcp_usr_connectx function in MacOS and iOS 11, where improper handling of sockaddrs (non-AF_INET/AF_INET6) leads to a controlled pointer overwrite and potential kernel memory corruption. The PoC triggers the issue by manipulating sa_len to overwrite the mpte_itfinfo field, resulting in a kfree of a controlled pointer when the socket is closed.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apple MacOS and iOS 11 with MPTCP enabled
Auth required
Prerequisites: Root access on MacOS or multipath entitlement on iOS 11 · MPTCP socket family support
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by 0neday · poc
https://github.com/0neday/multi_path

This is a working exploit PoC for CVE-2018-4241, targeting a memory corruption vulnerability in the mptcp_usr_connectx function on iOS 11.0-11.3.1. The exploit leverages a heap overflow to achieve arbitrary kernel memory read/write, leading to local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apple iOS 11.0-11.3.1 (multipath TCP socket handling)
Auth required
Prerequisites: Apple Developer certificate with com.apple.developer.networking.multipath entitlement · iOS device running 11.0-11.3.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44849/
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208850
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1558
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208851
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041027
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208848
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208849

Scores

CVSS v3 7.8
EPSS 0.0822
EPSS Percentile 94.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (4)
apple/apple_tv < 11.4
apple/iphone_os < 11.4
apple/mac_os_x < 10.13.5
apple/watchos < 4.3.1
Published Jun 08, 2018
Tracked Since Feb 18, 2026