CVE-2018-4241
Description
Buffer overflow in Apple kernel's mptcp_usr_connectx allows arbitrary code execution; fixed in iOS 11.4, macOS 10.13.5, tvOS 11.4, watchOS 4.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Apple kernel's mptcp_usr_connectx allows arbitrary code execution; fixed in iOS 11.4, macOS 10.13.5, tvOS 11.4, watchOS 4.3.1.
Vulnerability
A buffer overflow vulnerability exists in the mptcp_usr_connectx function within the Kernel component of Apple operating systems. This affects iOS versions before 11.4, macOS before 10.13.5, tvOS before 11.4, and watchOS before 4.3.1.
Exploitation
Exploitation requires a crafted application to trigger the buffer overflow. No further details about the attack vector have been disclosed by Apple.
Impact
Successful exploitation allows an attacker to execute arbitrary code in a privileged context, potentially gaining system-level privileges.
Mitigation
Apple has released fixes in iOS 11.4 [2], macOS High Sierra 10.13.5 [1], tvOS 11.4 [3], and watchOS 4.3.1 [4]. Users should update their devices to the latest available versions.
- About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan - Apple Support
- About the security content of iOS 11.4 - Apple Support
- About the security content of tvOS 11.4 - Apple Support
- About the security content of watchOS 4.3.1 - Apple Support
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <11.4
- Range: <10.13.5
- Range: <4.3.1
- Range: <11.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing address-family validation in mptcp_usr_connectx allows a memcpy with an attacker-controlled sa_len (up to 255) when sa_family is neither AF_INET nor AF_INET6."
Attack vector
An attacker crafts a malicious app that calls `connectx` with a socket address whose `sa_family` is neither `AF_INET` nor `AF_INET6` but whose `sa_len` field is set to a value larger than the expected structure size. The kernel's `mptcp_usr_connectx` function skips the length-validation checks (which only apply to `AF_INET` and `AF_INET6`) and proceeds to `memcpy(&mpte->mpte_dst, dst, dst->sa_len)`, copying attacker-controlled data beyond the bounds of the destination buffer [ref_id=1]. This overwrites adjacent kernel heap fields, including `mpte_itfinfo`, leading to a controlled pointer being passed to `kfree` when the socket is closed, enabling arbitrary code execution in kernel context [ref_id=1].
Affected code
The vulnerability is in the `mptcp_usr_connectx` function, which is the handler for the `connectx` syscall for the `AP_MULTIPATH` socket family in the XNU kernel. The function fails to reject socket addresses with a `sa_family` other than `AF_INET` or `AF_INET6`, yet still performs a `memcpy` using the attacker-controlled `sa_len` value (up to 255) into the `mpte_dst` buffer [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the root cause is clear: the function must validate that the socket address family is either `AF_INET` or `AF_INET6` before trusting the `sa_len` field, and should return an error (`EINVAL`) for any other family. The existing validation checks for IPv4 and IPv6 lengths are correct, but they are gated on the address family — if the family is neither, no check runs and the code falls through to the vulnerable `memcpy` [ref_id=1]. A proper fix would add an `else` branch (or an early bail-out) that rejects unsupported address families.
Preconditions
- authThe attacker must be able to run a crafted app on the affected system (iOS, macOS, tvOS, or watchOS).
- configOn iOS, the app must have the multipath entitlement, which is available to App Store apps.
- inputThe app must call the connectx syscall on an AP_MULTIPATH socket with a crafted sockaddr structure.
Reproduction
A public PoC is available at https://www.exploit-db.com/exploits/44849/ and the binary at https://gitlab.com/exploit-db/exploitdb-bin-sploits/-/raw/main/bin-sploits/44849.zip [ref_id=1]. The PoC triggers the buffer overflow by passing a socket address with an unsupported `sa_family` and a large `sa_len`, overwriting the `mpte_itfinfo` field to cause a controlled `kfree` on socket close. On macOS the PoC must be run as root; on iOS 11 it can run inside the app sandbox with the multipath entitlement [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.exploit-db.com/exploits/44849/mitreexploitx_refsource_EXPLOIT-DB
- www.securitytracker.com/id/1041027mitrevdb-entryx_refsource_SECTRACK
- bugs.chromium.org/p/project-zero/issues/detailmitrex_refsource_MISC
- support.apple.com/HT208848mitrex_refsource_CONFIRM
- support.apple.com/HT208849mitrex_refsource_CONFIRM
- support.apple.com/HT208850mitrex_refsource_CONFIRM
- support.apple.com/HT208851mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.