Apple released iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6 updates earlier this week, and those new releases address a dangerous zero-day attack targeting Chrome browser users, according to a Bleeping Computer report.
Apple says that the fix for CVE-2025-6558 fixed a vulnerability in open source code that also affected Apple’s Safari. The flaw could allow remote attackers to execute arbitrary code using HTML pages created for that purpose, escaping Chrome’s sandboxing. Google patched the issue on July 15, and said that it had been actively exploited.
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
WebKit Bugzilla: 296459
CVE-2025-6558: Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group
In Safari, Apple said that while the issue could cause unexpected crashing, it wasn’t known to have been used in attacks against Safari users.
Google hasn’t yet explained how the exploit works, instead opting to hold back additional information until the majority of Chrome users have updated their devices. Chrome users are urged to install the latest version of Chrome as soon as possible.
The iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6 updates also address dozens of other security vulnerabilities, according to Apple’s security support documents.
The iOS 18.6 and iPadOS 18.6 updates fix more than 20 vulnerabilities including an Accessibility flaw that would allow a Passcode to be read aloud by VoiceOver, as well as another vulnerability that could allow bad actors to parse maliciously crafted audio, leading to memory corruption.
The update also fixes eight WebKit-related security flaws that could disclose sensitive user information, cause Safari to crash, and result in memory corruption.
iPad users whose device cannot be updated to iPadOS 18.6, can install an iPadOS 17.7.9 update, which includes a number of security fixes.
Meanwhile, macOS Sequoia 15.6 includes fixes for more than 80 vulnerabilities that could lead to crashes, leak sensitive user data, and more. The update includes fixes for Safari, Spotlight, System Settings, the Dock, Find My, Notes, and other apps and features.
macOS Sonoma 14.7.7 and macOS Ventura 13.7.7 updates are available for those who have older Macs that can’t run macOS Sequoia 15.6.
Apple also released its visionOS 2.6, tvOS 18.6, and watchOS 11.6 updates, which include fixes for nearly 20 vulnerabilities.
While none of the vulnerabilities are known to have been exploited in the wild, it is still a good idea to update your Apple devices as soon as possible.