Apple security release notes and third-party reporting on iOS WebKit risk
Apple published multiple security release notes and update entries across its platforms, including iOS/iPadOS point releases (e.g., iOS/iPadOS 26.2.1, 18.7.4, 16.7.13, 15.8.6, 12.5.8) and watchOS 26.2.1, with Apple indicating no published CVE entries for several of the January 2026 point updates. Apple also refreshed or republished detailed historical security-content pages for older products, including macOS Big Sur 11.7.9 (listing fixes such as CVE-2023-34425 kernel-privilege arbitrary code execution in Apple Neural Engine, CVE-2023-32364 sandbox restriction bypass, and other privacy/logic issues), Xcode 14.1 (including multiple git issues such as CVE-2022-29187, CVE-2022-39253, CVE-2022-39260, plus an Xcode Server privilege issue CVE-2022-42797), and visionOS 2 for Apple Vision Pro (including issues like CVE-2024-44126 heap corruption from crafted files, CVE-2024-27876 arbitrary file write via archive unpacking race condition, and additional sandbox/data-access weaknesses).
Separately, a vendor blog post warned that critical WebKit vulnerabilities could enable remote compromise of iOS devices via a malicious webpage (arbitrary code execution and potential credential/data theft), emphasizing patch latency as a key risk; however, the post does not clearly map its claims to specific Apple CVEs or to the “no published CVE entries” iOS/iPadOS point releases listed on Apple’s security releases page. A Reddit /r/netsec item about a one-click vulnerability in IDIS Cloud Manager (ICM) Viewer (triggered by clicking an untrusted link) is unrelated to Apple/WebKit and does not align with the Apple security-release content.
Sources
Related Stories
Apple security updates addressing actively exploited iOS and macOS vulnerabilities
Apple published multiple security advisories across iOS/iPadOS, macOS, and watchOS releases that include fixes for vulnerabilities reported as **actively exploited** in the wild. Notable exploited issues include iOS/iPadOS 15.6.1 fixes for **kernel** and **WebKit** out-of-bounds writes enabling arbitrary code execution (`CVE-2022-32894`, `CVE-2022-32893`), iOS/iPadOS 16.3.1’s exploited **WebKit** type confusion leading to code execution (`CVE-2023-23529`), and iOS/iPadOS 15.7.5 plus macOS Big Sur 11.7.6 addressing an **IOSurfaceAccelerator** out-of-bounds write that could yield kernel-level code execution (`CVE-2023-28206`) alongside an exploited **WebKit** use-after-free (`CVE-2023-28205`). Apple also shipped iOS/iPadOS 16.6.1 and macOS Ventura 13.5.2 updates to remediate an exploited **ImageIO** buffer overflow (`CVE-2023-41064`) and an exploited **Wallet** attachment validation issue that could allow code execution (`CVE-2023-41061`). Separately, Apple’s iOS 17.0.1 and watchOS 9.6.3 advisories describe two vulnerabilities (`CVE-2023-41991`, `CVE-2023-41992`) reported by **Citizen Lab** and Google’s **Threat Analysis Group** as exploited against versions prior to iOS 16.7, involving **signature validation bypass** and **local privilege escalation**. Other referenced advisories (e.g., iOS/iPadOS 16.7, iOS/iPadOS 17.2, iOS/iPadOS 18.1, iOS/iPadOS 18.3, macOS Sequoia 15.1, iOS/iPadOS 26.1, macOS Tahoe 26.1, iOS/iPadOS 26.2) primarily enumerate additional CVEs and privacy/logic/memory-safety fixes but do not clearly tie to the same specific exploited-vulnerability disclosures, indicating they are broader platform security bulletins rather than part of a single incident response.
1 months ago
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
1 months ago
Apple iOS 26 WebKit Zero-Day Patches Leave Unpatched iPhones and iPads Exposed
Apple disclosed and patched two critical **WebKit** vulnerabilities, `CVE-2025-43529` and `CVE-2025-14174`, that could allow attackers to execute code via Safari and potentially gain broad access to affected iPhones and iPads, including sensitive data such as passwords and financial information. Reporting describes the issues as *zero-click/low-interaction* style browser exploitation stemming from memory-handling flaws in WebKit, with claims they were exploited as **zero-days in the wild** prior to Apple’s fixes. The fixes are reported as delivered in **iOS 26**, creating exposure risk for users who have not upgraded and for devices that cannot move beyond older iOS/iPadOS versions; multiple sources cite slow adoption of iOS 26, leaving a large population potentially unpatched. Separate coverage encouraging upgrades to iOS 26 frames security as a primary driver (patching “nasty security bugs”), reinforcing the operational takeaway for enterprises: accelerate iOS 26 rollout where supported, and apply compensating controls (e.g., device refresh planning, stricter web content controls, and MDM-enforced update compliance) for fleets that cannot upgrade.
1 months ago