Apple security updates addressing actively exploited iOS and macOS vulnerabilities
Apple published multiple security advisories across iOS/iPadOS, macOS, and watchOS releases that include fixes for vulnerabilities reported as actively exploited in the wild. Notable exploited issues include iOS/iPadOS 15.6.1 fixes for kernel and WebKit out-of-bounds writes enabling arbitrary code execution (CVE-2022-32894, CVE-2022-32893), iOS/iPadOS 16.3.1’s exploited WebKit type confusion leading to code execution (CVE-2023-23529), and iOS/iPadOS 15.7.5 plus macOS Big Sur 11.7.6 addressing an IOSurfaceAccelerator out-of-bounds write that could yield kernel-level code execution (CVE-2023-28206) alongside an exploited WebKit use-after-free (CVE-2023-28205). Apple also shipped iOS/iPadOS 16.6.1 and macOS Ventura 13.5.2 updates to remediate an exploited ImageIO buffer overflow (CVE-2023-41064) and an exploited Wallet attachment validation issue that could allow code execution (CVE-2023-41061).
Separately, Apple’s iOS 17.0.1 and watchOS 9.6.3 advisories describe two vulnerabilities (CVE-2023-41991, CVE-2023-41992) reported by Citizen Lab and Google’s Threat Analysis Group as exploited against versions prior to iOS 16.7, involving signature validation bypass and local privilege escalation. Other referenced advisories (e.g., iOS/iPadOS 16.7, iOS/iPadOS 17.2, iOS/iPadOS 18.1, iOS/iPadOS 18.3, macOS Sequoia 15.1, iOS/iPadOS 26.1, macOS Tahoe 26.1, iOS/iPadOS 26.2) primarily enumerate additional CVEs and privacy/logic/memory-safety fixes but do not clearly tie to the same specific exploited-vulnerability disclosures, indicating they are broader platform security bulletins rather than part of a single incident response.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Apple releases iOS 16.7 with three actively exploited fixes
On 2023-09-21, Apple released iOS 16.7 and iPadOS 16.7, addressing CVE-2023-41992 in the kernel, CVE-2023-41991 in Security, and CVE-2023-41993 in WebKit. Apple said all three flaws may have been actively exploited against iOS versions prior to iOS 16.7.
Apple releases watchOS 9.6.3 for two exploited iOS-related flaws
On 2023-09-21, Apple released watchOS 9.6.3 to fix CVE-2023-41992 and CVE-2023-41991. Apple said both vulnerabilities may have been actively exploited against versions of iOS prior to iOS 16.7.
Apple releases iOS 16.6.1, iPadOS 16.6.1, and macOS Ventura 13.5.2
On 2023-09-07, Apple shipped iOS 16.6.1, iPadOS 16.6.1, and macOS Ventura 13.5.2 to fix CVE-2023-41064 in ImageIO and a Wallet validation flaw affecting iOS/iPadOS. Apple said the issues may have been actively exploited in the wild, and credited Citizen Lab for assistance and reporting.
Apple issues iOS 16.6 and iPadOS 16.6 with multiple security fixes
On 2023-07-24, Apple released iOS 16.6 and iPadOS 16.6, fixing numerous vulnerabilities across components including the kernel and WebKit. The advisory notes that at least two of the issues may have been actively exploited, and one flaw, CVE-2023-37450, had first been addressed in Rapid Security Response 16.5.1(c).
Apple releases macOS Big Sur 11.7.6 for exploited kernel flaw
On 2023-04-10, Apple also released macOS Big Sur 11.7.6 to address CVE-2023-28206, an IOSurfaceAccelerator out-of-bounds write that could let an app execute code with kernel privileges. Apple said it was aware of a report that the issue may have been actively exploited.
Apple releases iOS 15.7.5 and related updates for two exploited flaws
On 2023-04-10, Apple released iOS 15.7.5 and iPadOS 15.7.5 to fix CVE-2023-28206 in IOSurfaceAccelerator and CVE-2023-28205 in WebKit. Apple said both vulnerabilities may have been actively exploited against older iPhone, iPad, and iPod touch devices.
Apple ships iOS 16.3.1 and iPadOS 16.3.1 with exploited WebKit fix
Apple released iOS 16.3.1 and iPadOS 16.3.1 in February 2023, addressing CVE-2023-23514, CVE-2023-23524, and CVE-2023-23529. Apple noted that the WebKit type confusion flaw CVE-2023-23529 may have been actively exploited.
Apple releases iOS 15.6.1 and iPadOS 15.6.1 for two zero-days
On 2022-08-17, Apple released iOS 15.6.1 and iPadOS 15.6.1 to fix CVE-2022-32894 in the kernel and CVE-2022-32893 in WebKit. Apple said both flaws may have been actively exploited, allowing kernel-level code execution or code execution via malicious web content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
About the security content of iOS 16.6 and iPadOS 16.6 - Apple Support
support.apple.com
Open sourceAbout the security content of iOS 15.6.1 and iPadOS 15.6.1 - Apple Support
support.apple.com
Open sourceAbout the security content of iOS 15.7.5 and iPadOS 15.7.5 - Apple Support
support.apple.com
Open sourceAbout the security content of iOS 16.3.1 and iPadOS 16.3.1 - Apple Support
support.apple.com
Open sourceAbout the security content of macOS Ventura 13.5.2 - Apple Support
support.apple.com
Open sourceAbout the security content of iOS 17.0.1 and iPadOS 17.0.1 - Apple Support
support.apple.com
Open sourceAbout the security content of iOS 16.6.1 and iPadOS 16.6.1 - Apple Support
support.apple.com
Open sourceAbout the security content of watchOS 9.6.3 - Apple Support
support.apple.com
Open sourceAbout the security content of macOS Big Sur 11.7.6 - Apple Support
support.apple.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Fixes Broad Set of iOS, macOS, and visionOS Vulnerabilities
Apple released a wide-ranging set of security updates across **iOS**, **iPadOS**, **macOS Tahoe**, **watchOS**, **tvOS**, **visionOS**, **Safari**, and **Xcode**, addressing more than 85 vulnerabilities across core components including the kernel, WebKit, AirPlay, Keychain, and open-source libraries. The updates fix issues that could enable traffic interception, kernel state disclosure, user fingerprinting, installed-app enumeration, Mail privacy bypasses, exposure of deleted Notes content, and crashes from out-of-bounds writes. Apple said it had no reports of in-the-wild exploitation for the vulnerabilities listed in the release notes, but urged users to update, with particular importance for older devices and managed macOS environments. Among the patched flaws is **`CVE-2024-27828`**, a high-severity memory-handling bug in **IOSurfaceRoot** that could let a local app trigger a kernel panic or execute arbitrary code with kernel privileges. STAR Labs said the issue stemmed from a reference count leak in `IOSurfaceRootUserClient::s_create_shared_event`, where repeated calls with crafted input could corrupt memory handling; the flaw affected iOS and iPadOS before 17.5, tvOS before 17.5, watchOS before 10.5, and visionOS before 1.2. Apple addressed the bug through improved memory handling, adding it to a broader pattern of fixes spanning both current and legacy Apple platforms.
May 25, 2026
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
Mar 21, 2026
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
Mar 21, 2026