CVE-2018-4441

HIGH

Safari < 12.0.2 - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-4441. PoCs published by Google Security Research, Specter, Cryptogenic.

AI-analyzed exploit summary This PoC exploits a vulnerability in JavaScriptCore's array handling, specifically manipulating `m_numValuesInVector` to bypass hole checks, leading to out-of-bounds (OOB) reads/writes. The exploit leverages `Array.prototype.splice` to trigger the vulnerability by setting an unusually large array length and then manipulating it.

Description

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Google Security Research · javascriptdosmultiple
https://www.exploit-db.com/exploits/46072

This PoC exploits a vulnerability in JavaScriptCore's array handling, specifically manipulating `m_numValuesInVector` to bypass hole checks, leading to out-of-bounds (OOB) reads/writes. The exploit leverages `Array.prototype.splice` to trigger the vulnerability by setting an unusually large array length and then manipulating it.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WebKit JavaScriptCore (Safari, other WebKit-based browsers)
No auth needed
Prerequisites: WebKit-based browser with vulnerable JavaScriptCore version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Specter · localhardware
https://www.exploit-db.com/exploits/46522

This is a working proof-of-concept exploit for CVE-2018-4441, targeting the PlayStation 4 WebKit on firmware 6.20. It achieves arbitrary read/write primitives and ROP chain execution, demonstrating userland code execution via syscalls like `sys_getpid()` and `sys_getuid()`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PlayStation 4 WebKit (Firmware 6.20)
No auth needed
Prerequisites: PS4 on firmware 6.20 · Access to the PS4 web browser or DNS spoofing to redirect to exploit page
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 207 stars
by Cryptogenic · poc
https://github.com/Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit

This is a working proof-of-concept exploit for CVE-2018-4441, targeting the PlayStation 4 WebKit on firmware 6.20. It leverages a JavaScriptCore vulnerability to achieve arbitrary read/write primitives and code execution via ROP chains.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PlayStation 4 WebKit (Firmware 6.20)
No auth needed
Prerequisites: Access to the target PS4's web browser · Firmware 6.20 or lower
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Vendor Advisory x_refsource_misc
https://support.apple.com/kb/HT209343
Vendor Advisory x_refsource_misc
https://support.apple.com/kb/HT209342
Vendor Advisory x_refsource_misc
https://support.apple.com/kb/HT209340
Vendor Advisory x_refsource_misc
https://support.apple.com/kb/HT209344
Vendor Advisory x_refsource_misc
https://support.apple.com/kb/HT209346
Vendor Advisory x_refsource_misc
https://support.apple.com/kb/HT209345

Scores

CVSS v3 8.8
EPSS 0.1281
EPSS Percentile 95.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (6)
apple/icloud < 7.9
apple/iphone_os < 12.1.1
apple/itunes < 12.9.2
apple/safari < 12.0.2
apple/tvos < 12.1.1
apple/watchos < 5.1.2
Published Apr 03, 2019
Tracked Since Feb 18, 2026