Apple has just revised the list of security fixes accomplished in its Security Update 2018-001 for High Sierra.
It has added, to the two discrete fixes already listed, the following entry:
Available for: macOS High Sierra 10.13.4
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: In some circumstances, some operating systems may not
expect or properly handle an Intel architecture debug exception
after certain instructions. The issue appears to be from an
undocumented side effect of the instructions. An attacker might
utilize this exception handling to gain access to Ring 0 and access
sensitive memory or control operating system processes.
CVE-2018-8897: Andy Lutomirski, Nick Peterson
(linkedin.com/in/everdox) of Everdox Tech LLC
Entry added May 8, 2018
If you want to read the full details of the CVE, they are here. This vulnerability affected Windows, macOS (but not iOS), FreeBSD, Linux, and some Xen configurations, so will have been embargoed until they had also been patched to address it.
The High Sierra Security Update did include a kernel update, and this could well explain the almost complete replacement of kernel extensions delivered with that. It is not clear whether macOS Sierra and El Capitan will also need fixes, perhaps in their next Security Updates.
Thank you, Apple: that does make a lot more sense now. And thanks to Apple for sending this notification out to its security-announce mailing list too.