Apple security updates addressing actively exploited iOS and macOS vulnerabilities
Apple published multiple security advisories across iOS/iPadOS, macOS, and watchOS releases that include fixes for vulnerabilities reported as actively exploited in the wild. Notable exploited issues include iOS/iPadOS 15.6.1 fixes for kernel and WebKit out-of-bounds writes enabling arbitrary code execution (CVE-2022-32894, CVE-2022-32893), iOS/iPadOS 16.3.1’s exploited WebKit type confusion leading to code execution (CVE-2023-23529), and iOS/iPadOS 15.7.5 plus macOS Big Sur 11.7.6 addressing an IOSurfaceAccelerator out-of-bounds write that could yield kernel-level code execution (CVE-2023-28206) alongside an exploited WebKit use-after-free (CVE-2023-28205). Apple also shipped iOS/iPadOS 16.6.1 and macOS Ventura 13.5.2 updates to remediate an exploited ImageIO buffer overflow (CVE-2023-41064) and an exploited Wallet attachment validation issue that could allow code execution (CVE-2023-41061).
Separately, Apple’s iOS 17.0.1 and watchOS 9.6.3 advisories describe two vulnerabilities (CVE-2023-41991, CVE-2023-41992) reported by Citizen Lab and Google’s Threat Analysis Group as exploited against versions prior to iOS 16.7, involving signature validation bypass and local privilege escalation. Other referenced advisories (e.g., iOS/iPadOS 16.7, iOS/iPadOS 17.2, iOS/iPadOS 18.1, iOS/iPadOS 18.3, macOS Sequoia 15.1, iOS/iPadOS 26.1, macOS Tahoe 26.1, iOS/iPadOS 26.2) primarily enumerate additional CVEs and privacy/logic/memory-safety fixes but do not clearly tie to the same specific exploited-vulnerability disclosures, indicating they are broader platform security bulletins rather than part of a single incident response.
Related Entities
Vulnerabilities
Organizations
Sources
4 more from sources like apple support
Related Stories
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
1 months ago
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
1 months ago
Apple security release notes and third-party reporting on iOS WebKit risk
Apple published multiple security release notes and update entries across its platforms, including iOS/iPadOS point releases (e.g., iOS/iPadOS 26.2.1, 18.7.4, 16.7.13, 15.8.6, 12.5.8) and watchOS 26.2.1, with Apple indicating **no published CVE entries** for several of the January 2026 point updates. Apple also refreshed or republished detailed historical security-content pages for older products, including macOS Big Sur 11.7.9 (listing fixes such as **CVE-2023-34425** kernel-privilege arbitrary code execution in Apple Neural Engine, **CVE-2023-32364** sandbox restriction bypass, and other privacy/logic issues), Xcode 14.1 (including multiple *git* issues such as **CVE-2022-29187**, **CVE-2022-39253**, **CVE-2022-39260**, plus an Xcode Server privilege issue **CVE-2022-42797**), and visionOS 2 for Apple Vision Pro (including issues like **CVE-2024-44126** heap corruption from crafted files, **CVE-2024-27876** arbitrary file write via archive unpacking race condition, and additional sandbox/data-access weaknesses). Separately, a vendor blog post warned that **critical WebKit vulnerabilities** could enable remote compromise of iOS devices via a malicious webpage (arbitrary code execution and potential credential/data theft), emphasizing patch latency as a key risk; however, the post does not clearly map its claims to specific Apple CVEs or to the “no published CVE entries” iOS/iPadOS point releases listed on Apple’s security releases page. A Reddit /r/netsec item about a **one-click** vulnerability in *IDIS Cloud Manager (ICM) Viewer* (triggered by clicking an untrusted link) is unrelated to Apple/WebKit and does not align with the Apple security-release content.
1 months ago