Apple Backports Coruna Exploit Fixes to Older iPhone and iPad Models
Apple released emergency security updates for older devices to block exploitation associated with the Coruna exploit chain, backporting fixes previously delivered in newer iOS branches. The updates target legacy hardware that cannot move to the latest operating systems, with reporting indicating iOS 15.8.7 and iPadOS 15.8.7 protect devices such as the iPhone 6s, iPhone 7, first-generation iPhone SE, iPad Air 2, iPad mini 4, and iPod touch 7. The attack path described for Coruna combines multiple flaws in the kernel and WebKit, enabling device compromise through malicious web content and potentially leading to arbitrary code execution with elevated privileges.
Apple’s security documentation also confirms a related backport in iOS 16.7.15 and iPadOS 16.7.15 for slightly newer but still unsupported models, including iPhone 8, iPhone 8 Plus, iPhone X, and several older iPads. That advisory ties the Coruna exploit to CVE-2023-43010, a memory corruption issue triggered by processing crafted web content, and states the fix was originally shipped in iOS 17.2 before being brought to devices unable to upgrade further. Together, the updates show Apple is extending protections against an actively weaponized exploit chain across multiple older device families rather than limiting remediation to current-generation platforms.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Apple Security Updates Address Multiple Vulnerabilities Including an In-the-Wild Exploited Memory Corruption Flaw
Apple issued security updates across its ecosystem to address **multiple vulnerabilities** affecting *iOS, iPadOS, macOS, tvOS, watchOS,* and *visionOS*, with impacts including **remote code execution (RCE)**, denial of service, elevation of privilege, information disclosure, data manipulation, and security restriction bypass. HKCERT highlighted **CVE-2026-20700** as a **high-risk** issue and noted it is **being exploited in the wild**; the flaw is described as an **improper restriction of operations within the bounds of a memory buffer** that could allow arbitrary code execution when an attacker has memory-write capability. Apple’s iOS 26.3 and iPadOS 26.3 security content includes fixes for issues that could expose sensitive information on a locked device (e.g., **CVE-2026-20645** and **CVE-2026-20674**) and a Bluetooth-related denial-of-service condition where a privileged network attacker could trigger DoS using crafted packets (**CVE-2026-20650**). The updates apply to **iPhone 11 and later** and a range of supported iPad models, and Apple reiterated its policy of publishing details after patches are available.
1 months ago
Apple security updates addressing actively exploited iOS and macOS vulnerabilities
Apple published multiple security advisories across iOS/iPadOS, macOS, and watchOS releases that include fixes for vulnerabilities reported as **actively exploited** in the wild. Notable exploited issues include iOS/iPadOS 15.6.1 fixes for **kernel** and **WebKit** out-of-bounds writes enabling arbitrary code execution (`CVE-2022-32894`, `CVE-2022-32893`), iOS/iPadOS 16.3.1’s exploited **WebKit** type confusion leading to code execution (`CVE-2023-23529`), and iOS/iPadOS 15.7.5 plus macOS Big Sur 11.7.6 addressing an **IOSurfaceAccelerator** out-of-bounds write that could yield kernel-level code execution (`CVE-2023-28206`) alongside an exploited **WebKit** use-after-free (`CVE-2023-28205`). Apple also shipped iOS/iPadOS 16.6.1 and macOS Ventura 13.5.2 updates to remediate an exploited **ImageIO** buffer overflow (`CVE-2023-41064`) and an exploited **Wallet** attachment validation issue that could allow code execution (`CVE-2023-41061`). Separately, Apple’s iOS 17.0.1 and watchOS 9.6.3 advisories describe two vulnerabilities (`CVE-2023-41991`, `CVE-2023-41992`) reported by **Citizen Lab** and Google’s **Threat Analysis Group** as exploited against versions prior to iOS 16.7, involving **signature validation bypass** and **local privilege escalation**. Other referenced advisories (e.g., iOS/iPadOS 16.7, iOS/iPadOS 17.2, iOS/iPadOS 18.1, iOS/iPadOS 18.3, macOS Sequoia 15.1, iOS/iPadOS 26.1, macOS Tahoe 26.1, iOS/iPadOS 26.2) primarily enumerate additional CVEs and privacy/logic/memory-safety fixes but do not clearly tie to the same specific exploited-vulnerability disclosures, indicating they are broader platform security bulletins rather than part of a single incident response.
1 months ago
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
1 months ago