Overview

Apple has released urgent security updates across its software ecosystem to address a critical vulnerability—CVE-2025-6558—that was also exploited as a zero-day in Google Chrome earlier this month. The flaw, rated 8.8 on the CVSS scale, stems from incorrect validation of untrusted input in the browser’s ANGLE and GPU components, potentially allowing attackers to escape browser sandboxes via malicious HTML content.

Technical Details:

  • Vulnerability ID: CVE-2025-6558
  • Impact: Sandbox escape, browser crash, potential remote code execution
  • Affected Components: ANGLE and GPU in Chrome; WebKit engine in Safari
  • Discovery: Credited to Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG)
  • Exploit Status: Confirmed to exist in the wild by Google

 

Affected Devices

Apple confirmed the vulnerability affects the following devices and OS versions:

  • iOS 18.6 / iPadOS 18.6:
    • iPhone XS and later
    • iPad Pro (13″, 12.9″ 3rd gen+, 11″ 1st gen+)
    • iPad Air (3rd gen+)
    • iPad (7th gen+)
    • iPad mini (5th gen+)
  • iPadOS 17.7.9:
    • iPad Pro 12.9″ (2nd gen), 10.5″
    • iPad 6th gen
  • macOS Sequoia 15.6:
    • All Macs running Sequoia
  • tvOS 18.6:
    • Apple TV HD and 4K (all models)
  • watchOS 11.6:
    • Apple Watch Series 6 and later
  • visionOS 2.6:
    • Apple Vision Pro

 

Recommended Remediations

ctrl:cyber recommends the below:

  • Update Immediately: Users are strongly advised to install the latest software updates to mitigate the risk.
  • Monitor for Unusual Activity: While no targeted attacks on Apple users have been confirmed, vigilance is recommended.
  • Enterprise Action: Security teams sh