CVE-2018-4280

HIGH

iPhone OS < 11.4.1 - Memory Corruption

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-4280. PoCs published by bazad.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2018-4280, a Mach port replacement vulnerability in launchd on iOS 11.2.6. The exploit leverages a Mach port over-deallocation bug to impersonate system services, leading to sandbox escape and privilege escalation.

Description

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2.

Exploits (2)

nomisec WORKING POC 257 stars

by bazad · poc

https://github.com/bazad/blanket

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2018-4280, a Mach port replacement vulnerability in launchd on iOS 11.2.6. The exploit leverages a Mach port over-deallocation bug to impersonate system services, leading to sandbox escape and privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Apple iOS launchd (versions up to iOS 11.4.1)

No auth needed

Prerequisites: Physical or remote access to a vulnerable iOS device · Ability to execute arbitrary code on the device

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 59 stars

by bazad · poc

https://github.com/bazad/launchd-portrep

View Code ZIP pw:eip

This exploit leverages a port replacement vulnerability in launchd (CVE-2018-4280) by sending crafted Mach messages to deallocate launchd's send rights to arbitrary ports, allowing impersonation of system services like coreservicesd to escalate privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: macOS launchd (versions affected by CVE-2018-4280)

No auth needed

Prerequisites: Local access to a vulnerable macOS system · Ability to send Mach messages to launchd

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_misc

https://support.apple.com/kb/HT208937

Vendor Advisory x_refsource_misc

https://support.apple.com/kb/HT208938

Vendor Advisory x_refsource_misc

https://support.apple.com/kb/HT208935

Vendor Advisory x_refsource_misc

https://support.apple.com/kb/HT208936

Scores

CVSS v3 7.8

EPSS 0.0206

EPSS Percentile 78.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-119

Status published

Products (4)

apple/iphone_os < 11.4.1

apple/mac_os_x < 10.13.6

apple/tvos < 11.4.1

apple/watchos < 4.3.2

Published Apr 03, 2019

Tracked Since Feb 18, 2026