CVE-2018-4366
Description
A memory corruption bug in AppleAVD on iOS prior to 12.1 lets a remote attacker execute arbitrary code via a malicious FaceTime video call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption bug in AppleAVD on iOS prior to 12.1 lets a remote attacker execute arbitrary code via a malicious FaceTime video call.
Vulnerability
CVE-2018-4366 is a memory corruption vulnerability in the AppleAVD driver, present in iOS versions prior to 12.1. Processing a maliciously crafted video stream via FaceTime triggers the bug. Affected devices include iPhone 5s and later, iPad Air and later, and iPod touch 6th generation [1].
Exploitation
An attacker with network access can send a specially crafted video stream to a target device during a FaceTime call. No user interaction beyond accepting the call is required, and the attacker does not need any prior authentication [1].
Impact
Successful exploitation allows arbitrary code execution in the context of the AppleAVD kernel extension, providing the attacker full control over the affected iOS device [1].
Mitigation
Apple released iOS 12.1 on October 30, 2018, which fixes the vulnerability by improved input validation. Users should update to iOS 12.1 or later. No workaround is available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A heap corruption vulnerability exists in VCPDecompressionDecodeFrame which is called by FaceTime."
Attack vector
An attacker can trigger this vulnerability by sending a crafted sequence of RTP packets to a victim. The victim must accept a call from the malicious peer. This interaction leads to a crash in the AVConference daemon, indicating successful exploitation [ref_id=1].
Affected code
The vulnerability resides within the VCPDecompressionDecodeFrame function, which is invoked by FaceTime. The exploit details mention that the issue is related to how the length of an encrypted packet is retrieved from the encrypted buffer, specifically concerning the output size returned from CCCryptorUpdate [ref_id=1].
What the fix does
The advisory indicates that the issue was addressed with improved input validation. The patch likely modifies the VCPDecompressionDecodeFrame function to correctly handle the size of encrypted packets, preventing the heap corruption.
Preconditions
- networkThe attacker must be able to send RTP packets to the target.
- inputThe attacker must send a crafted sequence of RTP packets.
- networkThe target must accept a call from the malicious peer.
Reproduction
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib 2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate 3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference) 4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write 5) Restart the machine 6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference 7) Call target, when they pick up, AVConference will crash [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- support.apple.com/kb/HT209192mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.