CVE-2018-4407
published 2019-04-03CVE-2018-4407: A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.
PriorityP260high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
22.01%
97.4th percentile
A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 12.0 | 12.0 |
| apple | mac_os_x | < 10.14 | 10.14 |
| apple | macos_mojave | — | — |
| apple | macos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0 | — | — |
| apple | tvos | < 12 | 12 |
| apple | tvos | — | — |
| apple | watchos | < 5.0 | 5.0 |
| apple | watchos_5 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a specially crafted IP packet sent over the local network; monitor for malformed/oversized IP packets targeting Apple devices (XNU kernel networking stack) that cause kernel panics or unexpected reboots. ↗
- →The vulnerability resides in ICMP packet-handling code within the XNU kernel networking stack; network-level detection should focus on anomalous ICMP packets that could trigger a heap buffer overflow. ↗
- →No open ports are required on the target device for exploitation; perimeter port-based filtering is insufficient — detection must occur at the IP/ICMP packet level on the local network segment. ↗
- →Public WiFi networks are a key attack vector; alert on kernel crash/reboot events on Apple devices connected to shared or untrusted network segments. ↗
- ·Anti-virus/endpoint security software cannot block exploitation because the vulnerability is in a fundamental layer of the networking code, below where AV operates. ↗
- ·The PoC at time of disclosure was withheld from public release to allow time for patching; however, the existence of a PoC video was confirmed and RCE potential was acknowledged by Apple. ↗
- ·macOS Mojave (10.14) was patched prior to public release and is not vulnerable; detection/patching efforts should focus on all pre-Mojave macOS and iOS versions prior to iOS 12. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2018-4407: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
vendor_apple·2018-10-30·CVSS 8.8
CVE-2018-4407 [HIGH] CVE-2018-4407: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Apple Security Update: About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Product: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
CVE: CVE-2018-4407
Component: Kernel
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
Apple
CVE-2018-4407: macOS Mojave 10.14
vendor_apple·2018-09-24·CVSS 8.8
CVE-2018-4407 [HIGH] CVE-2018-4407: macOS Mojave 10.14
Apple Security Update: About the security content of macOS Mojave 10.14
Product: macOS Mojave
Version: 10.14
CVE: CVE-2018-4407
Component: Kernel
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
Apple
CVE-2018-4407: watchOS 5
vendor_apple·2018-09-17·CVSS 8.8
CVE-2018-4407 [HIGH] CVE-2018-4407: watchOS 5
Apple Security Update: About the security content of watchOS 5
Product: watchOS 5
CVE: CVE-2018-4407
Component: Kernel
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
Apple
CVE-2018-4407: iOS 12
vendor_apple·2018-09-17·CVSS 8.8
CVE-2018-4407 [HIGH] CVE-2018-4407: iOS 12
Apple Security Update: About the security content of iOS 12
Product: iOS
Version: 12
CVE: CVE-2018-4407
Component: Kernel
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
Apple
CVE-2018-4407: tvOS 12
vendor_apple·2018-09-17·CVSS 8.8
CVE-2018-4407 [HIGH] CVE-2018-4407: tvOS 12
Apple Security Update: About the security content of tvOS 12
Product: tvOS
Version: 12
CVE: CVE-2018-4407
Component: Kernel
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
GHSA
GHSA-pcv9-8r98-7p98: A memory corruption issue was addressed with improved validation
ghsa_unreviewed·2022-05-14
CVE-2018-4407 [HIGH] CWE-119 GHSA-pcv9-8r98-7p98: A memory corruption issue was addressed with improved validation
A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.
Suricata
ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC
suricata·2018-11-01·CVSS 8.8
CVE-2018-4407 [HIGH] ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC
ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC
Rule: alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_11_01, cve CVE_2018_4407, deployment Internal, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
No public exploits indexed.
Tenable
Buffer Overflow Vulnerability in Apple iOS and macOS Devices Disclosed
blogs_tenable·2018-10-31
Buffer Overflow Vulnerability in Apple iOS and macOS Devices Disclosed
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Buffer Overflow Vulnerability in Apple iOS and macOS Devices Disclosed
blogs_tenable·2018-10-31·CVSS 8.8
[HIGH] Buffer Overflow Vulnerability in Apple iOS and macOS Devices Disclosed
Blog / Cyber Exposure Alerts
Subscribe
# Buffer Overflow Vulnerability in Apple iOS and macOS Devices Disclosed
Satnam Narang
October 31, 2018
2 Min Read
A researcher has disclosed a buffer overflow vulnerability in Apple’s XNU operating system kernel that allows attackers on a local network to reboot Apple’s iOS and macOS devices and could potentially lead to remote code execution.
### Background
On October 30, researcher Kevin Backhouse of Semmle published a blog on his discovery of a buffer overflow vulnerability in Apple’s XNU operating system kernel (CVE-2018-4407). Specifically, the vulnerability exists in the networking code for XNU for how packets are handled. The vulnerability affects OS X, macOS and iOS devices. Backhouse released a proof of concept (PoC) video demonstrati
Crowdstrike
CrowdStrike Provides Free Dashboard to Identify Vulnerable Macs
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] CrowdStrike Provides Free Dashboard to Identify Vulnerable Macs
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
CrowdStrike Provides Free Dashboard to Identify Vulnerable Macs
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] CrowdStrike Provides Free Dashboard to Identify Vulnerable Macs
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
http://packetstormsecurity.com/files/172832/iOS-11.4.1-macOS-10.13.6-icmp_error-Heap-Buffer-Overflow.htmlhttps://support.apple.com/kb/HT209106https://support.apple.com/kb/HT209107https://support.apple.com/kb/HT209108https://support.apple.com/kb/HT209139https://support.apple.com/kb/HT209193http://packetstormsecurity.com/files/172832/iOS-11.4.1-macOS-10.13.6-icmp_error-Heap-Buffer-Overflow.htmlhttps://support.apple.com/kb/HT209106https://support.apple.com/kb/HT209107https://support.apple.com/kb/HT209108https://support.apple.com/kb/HT209139https://support.apple.com/kb/HT209193
2019-04-03
Published