Overview
- Updates for iOS 18.6 and iPadOS 18.6 address 29 security flaws, macOS Sequoia 15.6 fixes 87 CVEs, and watchOS 11.6, tvOS 18.6 and visionOS 2.6 include additional patches.
- CVE-2025-6558 stems from improper validation in the shared ANGLE graphics layer and GPU components, enabling remote attackers to escape the browser sandbox via crafted HTML.
- Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group discovered the flaw in June and Google patched Chrome 138 on July 15 after confirming active exploitation.
- On July 22, CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to remediate by August 12.
- Apple reports no evidence of CVE-2025-6558 exploitation against Safari users, underscoring the importance of rapid cross-vendor coordination in securing open-source code.