CVE-2018-4089
Description
WebKit use-after-free vulnerability in SVG handling allows arbitrary code execution via crafted web pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WebKit use-after-free vulnerability in SVG handling allows arbitrary code execution via crafted web pages.
Vulnerability
A use-after-free vulnerability exists in WebKit's SVG property handling, specifically in SVGPropertyTearOff::detachWrapper(). The bug occurs when an SVG list property is resized, causing the internal vector buffer to be reallocated, while SVGPropertyTearOff retains a dangling pointer to the old buffer. This issue affects iOS versions before 11.2.5, macOS before 10.13.3, Safari before 11.0.3, and tvOS before 11.2.5 [1][2][3][4].
Exploitation
An attacker can exploit this vulnerability by enticing a user to visit a crafted web page. The malicious page triggers the use-after-free by manipulating SVG list properties to cause a vector resize, allowing the attacker to read freed memory. No user interaction beyond visiting the site is required, and the attacker does not need authentication [3].
Impact
Successful exploitation can lead to arbitrary code execution within the WebKit process or cause a denial of service (memory corruption and application crash). The attacker gains the ability to execute arbitrary code at the privilege level of the affected application, potentially leading to full system compromise depending on the sandboxing [1][2][3][4].
Mitigation
Apple has addressed this vulnerability in iOS 11.2.5, macOS High Sierra 10.13.3, Safari 11.0.3, and tvOS 11.2.5, all released on January 23, 2018. Users should update to the latest versions of the affected software. No workarounds are available, and no evidence of active exploitation has been reported [1][2][4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- Range: <11.2.5
- Range: <10.13.3
- Range: <11.0.3
- Range: <11.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free in SVGPropertyTearOff::detachWrapper() where a pointer (m_value) into a vector's buffer is not invalidated when the vector is resized and reallocated."
Attack vector
An attacker hosts a crafted website containing SVG content with SMIL animations that manipulate SVG length lists. During animation, `SVGAnimatedTypeAnimator::resetFromBaseValue` triggers a vector copy assignment (`SVGLengthListValues::operator=`) that shrinks the vector's capacity, freeing the underlying buffer [ref_id=1]. A subsequent call to `SVGPropertyTearOff::detachWrapper()` dereferences a stale pointer (`m_value`) that still points into the freed buffer, causing a use-after-free read [ref_id=1]. This memory corruption can be leveraged to execute arbitrary code or crash the WebContent process.
Affected code
The vulnerability resides in `SVGPropertyTearOff::detachWrapper()` in `Source/WebCore/svg/properties/SVGPropertyTearOff.h`. The call chain involves `SVGListProperty::detachListWrappersAndResize()`, `SVGAnimatedTypeAnimator::executeAction()`, and `SVGAnimateElementBase::resetAnimatedType()` during SVG SMIL animation processing [ref_id=1].
What the fix does
The advisory does not include a patch diff. Apple addressed this issue in iOS 11.2.5, macOS 10.13.3, Safari 11.0.3, and tvOS 11.2.5. The fix likely ensures that `SVGPropertyTearOff`'s `m_value` pointer is updated or invalidated when the backing vector is resized or reallocated, preventing the dangling pointer from being dereferenced in `detachWrapper()` [ref_id=1].
Preconditions
- inputVictim must visit a malicious web page using a vulnerable version of Safari or WebKit-based browser
- networkNo special authentication or configuration required; the attack is drive-by
Reproduction
The PoC is attached to the exploit-db entry at https://www.exploit-db.com/exploits/43937/ [ref_id=1]. The advisory does not reproduce the steps in text form; the PoC file itself must be retrieved from that URL.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.exploit-db.com/exploits/43937/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/102778mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040265mitrevdb-entryx_refsource_SECTRACK
- www.securitytracker.com/id/1040266mitrevdb-entryx_refsource_SECTRACK
- www.securitytracker.com/id/1040267mitrevdb-entryx_refsource_SECTRACK
- support.apple.com/HT208462mitrex_refsource_CONFIRM
- support.apple.com/HT208463mitrex_refsource_CONFIRM
- support.apple.com/HT208465mitrex_refsource_CONFIRM
- support.apple.com/HT208475mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.