CVE-2018-4206
Description
A memory corruption issue in Apple's Crash Reporter allows a crafted app to replace a privileged port name, leading to arbitrary code execution or denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption issue in Apple's Crash Reporter allows a crafted app to replace a privileged port name, leading to arbitrary code execution or denial of service.
Vulnerability
The vulnerability resides in the Crash Reporter (ReportCrash) component of Apple operating systems. It affects iOS versions before 11.3.1, macOS before 10.13.4 Security Update 2018-001, tvOS before 11.4, and watchOS before 4.3.1 [1][2][4]. The issue stems from a failure to respect MIG ownership rules when handling mach_exception_raise_state_identity messages. A crafted app can replace a privileged port name, leading to memory corruption [3].
Exploitation
An attacker must run a crafted app on the target device. The app can obtain a send right to ReportCrash via task_get_exception_ports or host_get_exception_ports kernel MIG methods. By sending a specially crafted mach_exception_raise_state_identity message, the app triggers an error path in ReportCrash that deallocates ports without proper validation, causing memory corruption [3]. No additional authentication or user interaction is required beyond installing and running the malicious app.
Impact
Successful exploitation allows an attacker to execute arbitrary code or cause a denial of service (memory corruption). Since ReportCrash runs with elevated privileges, the attacker can gain elevated privileges on the system, potentially leading to full compromise of the device [4].
Mitigation
Apple addressed the issue in the following releases: iOS 11.3.1 (April 24, 2018) [4], macOS 10.13.4 Security Update 2018-001, tvOS 11.4 (May 29, 2018) [1], and watchOS 4.3.1 (May 29, 2018) [2]. Users should update to these versions or later. No workarounds are available for unpatched systems.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: < 11.4
- Range: < 10.13.4 (Security Update 2018-001)
- Range: < 4.3.1
- Range: < 11.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Failure to respect MIG ownership rules in ReportCrash's exception handler causes a double-deallocation of Mach port references when the sender's euid does not match."
Attack vector
An attacker who already has code execution in a sandboxed root process (e.g., kextd on macOS or amfid on iOS) can crash that process, causing ReportCrash to receive its task and thread ports. By sending a crafted `mach_exception_raise_state_identity` message from a different euid (e.g., dropping to uid 12 via `setuid`), the attacker triggers the error path in ReportCrash that double-deallocates the port arguments [ref_id=1]. This double-deallocation allows the attacker to replace privileged port names, leading to memory corruption that can be leveraged for arbitrary code execution or denial of service [ref_id=1].
Affected code
The vulnerability resides in the ReportCrash daemon's handler for the `mach_exception_raise_state_identity` message (subsystem 2405). In the error path at offset +0x2b11 (macOS 10.13.3), when the sender's euid does not match ReportCrash's euid, the handler calls `mach_port_deallocate` on the task and thread port arguments, dropping a user-reference (UREF), and then returns error code 5. MIG then sees the error and drops another UREF on the same ports, resulting in a double-deallocation [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory states that Apple addressed the issue in iOS 11.3.1, macOS 10.13.4 Security Update 2018-001, tvOS 11.4, and watchOS 4.3.1, but does not detail the specific code change. Based on the researcher's analysis [ref_id=1], the fix would need to correct the MIG ownership logic in ReportCrash's exception handler so that port references are not double-dropped when the euid check fails.
Preconditions
- authAttacker must have code execution in a sandboxed root process (e.g., kextd or amfid) to crash it and have ReportCrash receive its task ports.
- inputAttacker must be able to send a mach_exception_raise_state_identity message to ReportCrash from a different effective UID (e.g., via setuid to uid 12).
- configThe target system must be running an affected version of iOS, macOS, tvOS, or watchOS.
Reproduction
The public PoC at https://www.exploit-db.com/exploits/44562/ [ref_id=1] demonstrates the bug. Compile with: `cp /usr/include/mach/mach_exc.defs . && mig mach_exc.defs && clang -o rc rc.c mach_excUser.c`. Run as root (`sudo ./rc`). The PoC obtains the ReportCrash exception port via `host_get_exception_ports`, looks up the `com.apple.logd` service as a target port, drops privileges to uid 12 via `setuid(12)`, and then calls `mach_exception_raise_state_identity` with the target port as the thread argument. This triggers the double-deallocation bug, destroying ReportCrash's send right to logd [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.exploit-db.com/exploits/44562/mitreexploitx_refsource_EXPLOIT-DB
- www.securityfocus.com/bid/103957mitrevdb-entryx_refsource_BID
- www.securityfocus.com/bid/103958mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1040744mitrevdb-entryx_refsource_SECTRACK
- bugs.chromium.org/p/project-zero/issues/detailmitrex_refsource_MISC
- support.apple.com/HT208742mitrex_refsource_CONFIRM
- support.apple.com/HT208743mitrex_refsource_CONFIRM
- support.apple.com/HT208850mitrex_refsource_CONFIRM
- support.apple.com/HT208851mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.