Cyber Resilience

CVE-2018-4344

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 April 2019

Published
03 April 2019
Modified
23 October 2025
KEV Added
27 June 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.3th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-4344 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Apple Iphone Os. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 39.3th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A memory corruption vulnerability identified as CVE-2018-4344 and categorized under CWE-119 was present in Apple platforms prior to iOS 12, macOS Mojave 10.14, tvOS 12, and watchOS 5. The root cause was insufficient memory handling that could be triggered to corrupt process memory, rated at CVSS 7.8 with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

An attacker with the ability to supply a malicious file or input that a local user opens or processes could exploit the flaw to achieve arbitrary code execution or full system compromise without requiring elevated privileges.

Apple security updates resolved the issue by implementing improved memory handling, as described in the vendor advisories at https://support.apple.com/kb/HT209106, https://support.apple.com/kb/HT209107, https://support.apple.com/kb/HT209108, and https://support.apple.com/kb/HT209139. No public information on in-the-wild exploitation is provided in the references.

EU & UK References

Vulnerability details

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

CWE(s)
KEV Date Added
27 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
iphone os
≤ 12.0
apple
mac os x
≤ 10.14
apple
tvos
≤ 12.0
apple
watchos
≤ 5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms that would have blocked the memory corruption flaw exploited by CVE-2018-4344.

prevent

Mandates timely application of vendor patches that corrected the insufficient memory handling in affected Apple platforms.

prevent

Requires validation of input that could have prevented the malicious file or data from triggering the memory corruption.

References