278/68 Friday, August 1, 2025
Apple has released a security patch to address a zero-day vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), which has been actively exploited in attacks targeting Google Chrome users. The flaw stems from insufficient validation of untrusted data in the ANGLE (Almost Native Graphics Layer Engine) module and GPU components. If a user opens a maliciously crafted HTML page, the vulnerability may allow attackers to escape the browser sandbox.
Google confirmed the vulnerability is being exploited in the wild, with the Threat Analysis Group (TAG) identifying and reporting the issue on June 23, 2025. Researchers Clément Lecigne and Vlad Stolyarov were credited for the discovery.
Apple acknowledged that the open-source code shared with Chrome has impacted its own software, particularly affecting WebKit-Apple’s browser engine. This issue can cause Safari to crash when rendering malicious web content. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
Apple has issued security updates for multiple platforms to address the flaw:
- iOS 18.6 and iPadOS 18.6: For iPhone XS and later, iPad 7th Gen and later
- macOS Sequoia 15.6
- iPadOS 17.7.9: For iPad Pro 12.9” (2nd Gen), iPad Pro 10.5”, iPad 6th Gen
- visionOS 2.6: For Apple Vision Pro
- watchOS 11.6: For Apple Watch Series 6 and later
- tvOS 18.6: For Apple TV HD and Apple TV 4K
Apple strongly urges all users to update their devices immediately to the latest versions in order to protect against potential attacks through unpatched browsers or compromised websites.
