CVE-2018-4087
Description
Memory corruption in Core Bluetooth (bluetoothd) in Apple iOS, tvOS, and watchOS prior to certain versions allows arbitrary code execution via a crafted app.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory corruption in Core Bluetooth (bluetoothd) in Apple iOS, tvOS, and watchOS prior to certain versions allows arbitrary code execution via a crafted app.
Vulnerability
Core Bluetooth component in Apple iOS before 11.2.5, tvOS before 11.2.5, and watchOS before 4.2.2 contains a memory corruption vulnerability in bluetoothd. The issue can be triggered by a crafted app exploiting a Mach message handling flaw, allowing an attacker to hijack the session between bluetoothd and the client. [4]
Exploitation
An attacker requires the ability to install and run a crafted app on the device. The app sends a specially crafted Mach message to the bluetoothd service, causing a memory corruption that can be leveraged to execute arbitrary code. The exploit involves adding a callback with attacker-controlled address and data, leading to code execution in the context of bluetoothd. [4]
Impact
Successful exploitation allows arbitrary code execution in a privileged context (bluetoothd runs as root) or denial of service due to memory corruption. An attacker can gain elevated privileges, potentially leading to full device compromise.
Mitigation
Apple addressed the issue in iOS 11.2.5 [1], tvOS 11.2.5 [2], and watchOS 4.2.2 [3], released on January 23, 2018. Users should update their devices to the latest available versions. No workaround is available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <11.2.5
- Range: <4.2.2
- Range: <11.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"bluetoothd does not properly validate session tokens or sanitize callback address/data fields supplied via Mach IPC, allowing an attacker to inject arbitrary function pointers."
Attack vector
A malicious app on the device sends a crafted Mach message to the bluetoothd service port (com.apple.server.bluetooth) using the BTLocalDevice_add_callback MIG routine. The attacker brute-forces valid session tokens by iterating through port name values and checking the return code; when a valid token is found, the app sends a callback address (0xdeadbeef) and additional data (0x13371337) that bluetoothd will later invoke. Because bluetoothd runs in a privileged context, this allows arbitrary code execution or denial of service via memory corruption [ref_id=1].
Affected code
The vulnerability resides in the bluetoothd daemon's Mach message handler for the "add callback" operation (message ID 3). The PoC targets the MIG server "com.apple.server.bluetooth" and sends crafted messages with a session token, callback address, and additional data fields.
What the fix does
No patch is included in the bundle. The advisory states that Apple addressed the issue in iOS 11.2.5, tvOS 11.2.5, and watchOS 4.2.2, but the specific fix is not shown. Based on the PoC, a proper fix would validate the session token more strictly and sanitize the callback address and data fields before use, preventing arbitrary function pointer invocation.
Preconditions
- inputAttacker must be able to run a crafted app on the device
- inputAttacker must brute-force a valid session token for bluetoothd
- networkbluetoothd service must be reachable via Mach IPC (com.apple.server.bluetooth)
Reproduction
Compile and run the provided PoC on a vulnerable device (iOS
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.exploit-db.com/exploits/44215/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/102774mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040265mitrevdb-entryx_refsource_SECTRACK
- blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/mitrex_refsource_MISC
- support.apple.com/HT208462mitrex_refsource_CONFIRM
- support.apple.com/HT208463mitrex_refsource_CONFIRM
- support.apple.com/HT208464mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.