CVE-2018-4384
Description
A memory corruption flaw in AppleAVD, exploited via malicious video in FaceTime, allows arbitrary code execution or privilege escalation on iOS and watchOS devices prior to 12.1 and 5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption flaw in AppleAVD, exploited via malicious video in FaceTime, allows arbitrary code execution or privilege escalation on iOS and watchOS devices prior to 12.1 and 5.1.
Vulnerability
A memory corruption vulnerability (CVE-2018-4384) exists in the AppleAVD driver on iPhone 5s and later, iPad Air and later, iPod touch 6th generation, and Apple Watch Series 1 and later. The issue, caused by improper input validation, affects versions prior to iOS 12.1 and watchOS 5.1 [1][2]. Processing a crafted video file via FaceTime triggers the flaw [1].
Exploitation
An attacker can exploit this vulnerability by delivering a malicious video to the target device through FaceTime. No prior authentication or special network position is required; the victim merely needs to receive and process the video call or message. The memory corruption occurs during video processing by AppleAVD [1].
Impact
On iOS, successful exploitation leads to arbitrary code execution at the system level, potentially compromising the entire device [1]. On watchOS, the impact is privilege escalation, allowing a malicious application to gain elevated privileges [2].
Mitigation
Apple released fixed versions on October 30, 2018: iOS 12.1 and watchOS 5.1. Users should update their devices to these or later versions. No workarounds are provided; installing the updates is the only mitigation [1][2]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <5.1
- Range: <12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A memory corruption issue exists when processing a malformed RTP video stream in FaceTime."
Attack vector
An attacker can trigger this vulnerability by sending a malformed RTP video stream to a target user. The vulnerability is triggered when the target user accepts a call from the malicious caller. This leads to a kernel panic due to a corrupted heap cookie or data abort [ref_id=1]. This issue specifically affects FaceTime on iOS devices.
Affected code
The vulnerability lies within the RTP video processing component of FaceTime. Specifically, it is triggered by a malformed RTP video stream that corrupts heap data, leading to a kernel panic [ref_id=1].
What the fix does
The advisory states that the issue was addressed with improved input validation. While a specific patch is not provided, the fix implies that FaceTime now correctly handles malformed RTP video streams, preventing the memory corruption that led to the kernel panic.
Preconditions
- inputA malformed RTP video stream.
- networkThe target must accept a call from the malicious caller.
Reproduction
1) Build video-replay.c in attached zip (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib 2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference) 3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write 4) Restart the machine 5) Extract the attached out folder in the zip to /out and change the permissions so it's readable by AVConference 6) Call target, when they pick up, the phone will crash [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- support.apple.com/kb/HT209192mitrex_refsource_MISC
- support.apple.com/kb/HT209195mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.