Particle.news

Download on the App Store

Apple Releases Cross-Platform Patches for Zero-Day in WebKit’s ANGLE Engine

They close a critical WebKit flaw discovered by Google TAG under a CISA order requiring federal agencies to patch by August 12.

Apple vulnerabilities
Image
Security fixes issued by Apple follow Chrome browser attacks

Overview

  • Updates for iOS 18.6 and iPadOS 18.6 address 29 security flaws, macOS Sequoia 15.6 fixes 87 CVEs, and watchOS 11.6, tvOS 18.6 and visionOS 2.6 include additional patches.
  • CVE-2025-6558 stems from improper validation in the shared ANGLE graphics layer and GPU components, enabling remote attackers to escape the browser sandbox via crafted HTML.
  • Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group discovered the flaw in June and Google patched Chrome 138 on July 15 after confirming active exploitation.
  • On July 22, CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to remediate by August 12.
  • Apple reports no evidence of CVE-2025-6558 exploitation against Safari users, underscoring the importance of rapid cross-vendor coordination in securing open-source code.