CVE-2018-4243

HIGH

iPhone OS < 11.4 - Remote Code Execution via getvolattrlist Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-4243. PoCs published by Google Security Research, Jailbreaks.

AI-analyzed exploit summary This exploit demonstrates a kernel heap overflow in macOS/iOS due to insufficient buffer size validation in the `getvolattrlist` function. By supplying a small buffer size while requesting `ATTR_CMN_RETURNED_ATTRS`, the kernel copies data beyond the allocated buffer, leading to a heap-based overflow.

Description

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Kernel" component. A buffer overflow in getvolattrlist allows attackers to execute arbitrary code in a privileged context via a crafted app.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · cdosmultiple
https://www.exploit-db.com/exploits/44848

This exploit demonstrates a kernel heap overflow in macOS/iOS due to insufficient buffer size validation in the `getvolattrlist` function. By supplying a small buffer size while requesting `ATTR_CMN_RETURNED_ATTRS`, the kernel copies data beyond the allocated buffer, leading to a heap-based overflow.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: macOS/iOS kernel (tested on macOS 10.13.4)
No auth needed
Prerequisites: Access to a vulnerable macOS/iOS system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 19 stars
by Jailbreaks · poc
https://github.com/Jailbreaks/empty_list

This is a working exploit for CVE-2018-4243, an iOS kernel vulnerability in the `getvolattrlist` function that allows a NULL pointer write off the end of a kalloc.16 allocation. The exploit targets `struct ipc_port` to achieve kernel read/write access on iOS 11.0-11.3.1.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Apple iOS 11.0 - 11.3.1
No auth needed
Prerequisites: iOS device running vulnerable version · ability to execute arbitrary code in userland
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208850
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44848/
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208851
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041027
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1564
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208848
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208849

Scores

CVSS v3 7.8
EPSS 0.2835
EPSS Percentile 96.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (4)
apple/apple_tv < 11.4
apple/iphone_os < 11.4
apple/mac_os_x < 10.13.5
apple/watchos < 4.3.1
Published Jun 08, 2018
Tracked Since Feb 18, 2026