Apple recently rolled out iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, watchOS 11.6, tvOS 11.6, and visionOS 2.6 to address a serious zero-day vulnerability, CVE-2025-6558, that was actively exploited in attacks targeting Google Chrome users.
The issue lies in ANGLE, the open-source graphics abstraction layer used to translate GPU commands across platforms. Attackers could craft malicious HTML pages to exploit this flaw, allowing them to execute arbitrary code and potentially break out of Chrome’s sandbox environment. Google patched the bug on July 15 after its Threat Analysis Group — researchers Vlad Stolyarov and Clément Lecigne — flagged it in June as being exploited in the wild.
While the vulnerability was originally tied to Chrome, Apple issued updates because its own WebKit browser engine, which powers Safari and other Apple software, also relies on the same open-source components. In affected versions of Safari, the flaw could lead to unexpected crashes. Although no active exploitation has been reported against Safari users, Apple moved quickly to close off any possible attack vectors. This includes patches in iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, iPadOS 17.7.9 for older iPads, watchOS 11.6, tvOS 18.6, and visionOS 2.6.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6558 to its list of known exploited vulnerabilities on July 22. Federal agencies are required to apply patches by August 12 under Binding Operational Directive 22-01. CISA also urged all network defenders, not just those in the public sector, to prioritize patching, warning that attackers commonly use vulnerabilities like this one to breach systems.
Apple’s quick response highlights how closely connected security risks have become across platforms. The company noted that it doesn’t disclose or discuss vulnerabilities until after patches are released. This helps reduce the window of opportunity for attackers. These latest updates are part of Apple’s broader push to lock down its ecosystem, especially since WebKit is shared across iOS, iPadOS, and macOS.
Users should install these updates as soon as possible and make sure Chrome is also up to date. Alongside this, security experts recommend the basics: stay cautious about where you click, stick to trusted websites, and keep all your software current. With five other zero-days already patched by Apple this year, including critical flaws from January through April, it’s clear that these aren’t just theoretical threats anymore. Staying updated isn’t just good practice. It’s essential.
(via Bleeping Computer)
