Apple releases security updates for iOS 18.7, macOS, iPadOS, and releases iOS 26 and macOS 26
Take action: Another big OS release from Apple. If you haven't updated your Apple devices with the emergency patch, update now to fix the exploited CVE-2025-43300. Even if you did patch, the regular update is a smart choice. Maybe wait and don't install iOS 26/ macOS Tahoe 26 until immediately, wait a month so you can see if anything bad happens.
Learn More
Apple has released new versions of their operating systems as well as the brand new "26" versions of iOS and macOS Tahoe. The releases fix multiple security vulnerabilities including a critical severity flaw that was actively exploited in sophisticated targeted attacks.
The most significant vulnerability addressed in these updates is tracked as CVE-2025-43300 (CVSS score 8.8), an out-of-bounds write flaw in the ImageIO framework that poses substantial risk to organizations and individuals using vulnerable Apple devices. This vulnerability allows attackers to process malicious image files that could lead to memory corruption and potential system compromise.
Apple confirmed they are aware of reports that this issue may have been exploited in extremely sophisticated attacks against specific targeted individuals, making it particularly concerning for high-profile users and organizations. The vulnerability was discovered to have been chained with WhatsApp vulnerability CVE-2025-55177 in highly targeted spyware attacks affecting fewer than 200 individuals globally.
The released operating systems are iOS 18.7 and iPadOS 18.7 available for iPhone XS and later models, as well as iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later devices. T
The macOS updates include macOS Sequoia 15.7, macOS Sonoma 14.8.
Vulnerabilities summary
- CVE-2025-43300: Out-of-bounds write in ImageIO framework - actively exploited zero-day vulnerability
- CVE-2025-43349: Out-of-bounds write issue in CoreAudio affecting video file processing
- CVE-2025-43302: Out-of-bounds write issue in IOHIDFamily that could cause system termination
- CVE-2025-43359: Logic issue in Kernel affecting UDP server socket binding
- CVE-2025-43362: Vulnerability in LaunchServices allowing keystroke monitoring without permission
- CVE-2025-43299 and CVE-2025-43295: Denial-of-service issues in libc
- CVE-2025-43355: Type confusion issue in MobileStorageMounter
- CVE-2025-43358: Permissions issue in Shortcuts allowing sandbox restriction bypass
- CVE-2025-43298: Parsing issue in PackageKit that could allow root privilege escalation
- CVE-2025-43304: Race condition in StorageKit that could allow root privilege escalation
- CVE-2025-43332: File quarantine bypass in Security Initialization
- CVE-2025-43291: Permissions issue in SharedFileList allowing file system modification
- CVE-2025-43310: Configuration issue in WindowServer allowing pasteboard data manipulation
The security updates are recommended for immediate installation, especially because of the active exploitation of CVE-2025-43300. Users can install these updates through their device's standard software update mechanism: Settings > General > Software Update for iOS and iPadOS devices, or System Settings > General > Software Update on macOS systems.
