When Apple released iOS 18.6 this week, it didn’t introduce any new features or visible changes. However, this update included over 20 patches for various security vulnerabilities in iOS, making it an important security update for all compatible devices.
In Apple’s security notes, the company did not specify whether any of the flaws were zero-days, meaning they hadn’t been exploited or publicly disclosed before a fix was available. This is advantageous for users as it indicates that bad actors hadn’t exploited any of these vulnerabilities. However, one flaw was actively exploited—though not against an Apple product.
The vulnerability, CVE-2025-6558, can crash Safari when processing malicious web content and is part of open source code affecting Apple’s software. Although it wasn’t exploited against Apple software at the time of the release notes, it was actively exploited in Google Chrome. As reported by Bleeping Computer, CVE-2025-6558 allows bad actors to run their own code in Chrome’s GPU process through malicious websites, potentially compromising devices running various Apple operating systems. Apple issued security updates for iOS, macOS, iPadOS, tvOS, visionOS, and watchOS as a result.
The Cybersecurity and Infrastructure Security Agency (CISA) has listed this flaw in its Known Exploited Vulnerabilities Catalog and requires federal agencies to update their software by Aug. 12.
To protect your devices from this vulnerability, update all affected hardware and software. Update Apple devices to iOS 18.6 and ensure Chrome or any Chromium-based browser is updated to the latest version. Apple updates can be installed from Settings > General > Software Update on an iPhone. For Chrome, click the three dots in the top right, then go to Help > About Google Chrome.