Apple patches security flaw exploited in Chrome zero-day assaults

Apple has launched security updates to deal with a high-severity vulnerability that has been exploited in zero-day assaults focusing on Google Chrome customers.

Tracked as CVE-2025-6558, the security bug is as a result of incorrect validation of untrusted enter within the ANGLE (Nearly Native Graphics Layer Engine) open-source graphics abstraction layer, which processes GPU instructions and interprets OpenGL ES API calls to Direct3D, Steel, Vulkan, and OpenGL.

The vulnerability allows distant attackers to execute arbitrary code inside the browser’s GPU course of by way of specifically crafted HTML pages, probably permitting them to flee the sandbox that isolates browser processes from the underlying working system.

Vlad Stolyarov and Clément Lecigne of Google’s Menace Evaluation Group (TAG), a crew of security specialists devoted to defending Google clients in opposition to state-sponsored assaults, found CVE-2025-6558 in June and reported it to the Google Chrome crew, who patched it on July 15 and tagged it as actively exploited in assaults.

Whereas Google has but to offer additional info on these assaults, Google TAG steadily discovers zero-day flaws exploited by government-sponsored menace actors in focused campaigns geared toward deploying spyware and adware on units of high-risk people, together with dissidents, opposition politicians, and journalists.

On Tuesday, Apple launched WebKit security updates to deal with the CVE-2025-6558 vulnerability for the next software program and units:

• iOS 18.6 and iPadOS 18.6: iPhone XS and later, iPad Professional 13-inch, iPad Professional 12.9-inch third era and later, iPad Professional 11-inch 1st era and later, iPad Air third era and later, iPad seventh era and later, and iPad mini fifth era and later
• macOS Sequoia 15.6: Macs operating macOS Sequoia
• iPadOS 17.7.9: iPad Professional 12.9-inch 2nd era, iPad Professional 10.5-inch, and iPad sixth era
• tvOS 18.6: Apple TV HD and Apple TV 4K (all fashions)
• visionOS 2.6: Apple Imaginative and prescient Professional
• watchOS 11.6: Apple Watch Sequence 6 and later

“Processing maliciously crafted internet content material could result in an surprising Safari crash,” Apple defined when describing the affect of CVE-2025-6558 profitable exploitation. “This can be a vulnerability in open supply code and Apple Software program is among the many affected tasks.”

On July 22, the Cybersecurity and Infrastructure Safety Company (CISA), the U.S. cyber protection company, additionally added this security bug to its catalog of vulnerabilities recognized to be exploited in assaults, requiring federal companies to patch their software program by August 12.

Whereas the Binding Operational Directive (BOD) 22-01, which mandates federal companies to safe their programs, solely applies to federal companies, CISA suggested all community defenders to prioritize patching the CVE-2025-6558 vulnerability as quickly as doable.

“A lot of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” the cybersecurity company warned final week.

Apple has additionally patched 5 zero-day flaws exploited in focused assaults because the begin of the 12 months, together with one zero-day in January (CVE-2025-24085), one in February (CVE-2025-24200), a 3rd in March (CVE-2025-24201), and two extra in April (CVE-2025-31200 and CVE-2025-31201).