When Apple dropped iOS 18.6 this week, it did not ship a bunch of recent options and modifications. Certainly, if you replace your iPhone, it’s going to seem precisely because it did operating iOS 18.5. Underneath the hood, nevertheless, the replace launched greater than 20 patches for safety vulnerabilities throughout iOS, making it an essential safety replace for all suitable units.

When Apple launched its safety notes for the replace, it didn’t point out whether or not any of the issues have been zero-days—in different phrases, whether or not any of the issues had been exploited or publicly disclosed earlier than a patch was available. That places the person better off, because it suggests unhealthy actors have not found out the best way to reap the benefits of any of the now-fixed flaws. Nevertheless, because it seems, certainly one of these flaws was actively exploited—simply not towards an Apple product.

The vulnerability in query is tracked as CVE-2025-6558. Per Apple’s launch notes, this can be a flaw that might crash Safari when processing malicious internet content material. As Apple states, the vulnerability is not an iOS-specific flaw; relatively, it is a vulnerability in open supply code, and Apple’s software program is impacted.

Whereas Apple says this vulnerability was not exploited towards Apple software program, at the least on the time the discharge notes have been revealed, one piece of software program that seems to have been actively exploited utilizing this flaw is Google Chrome. As reported by Bleeping Pc, CVE-2025-6558 can permit unhealthy actors to run their very own code inside Chrome’s GPU course of when visiting malicious web sites. This might allow hackers to interrupt into the working system of the goal’s machine. If you happen to’re utilizing an Apple product, that will imply iOS, macOS, iPadOS, tvOS, visionOS, or watchOS could possibly be compromised from this assault. (Apple launched safety updates for all of those OSes, respectively.)

The flaw is severe enterprise: The Cybersecurity and Infrastructure Safety Company (CISA) listed this flaw amongst its Recognized Exploited Vulnerabilities Catalog, and now requires federal businesses to replace their software program by Aug. 12.

Defending your units from this zero-day

To be sure you shield your units from this vulnerability, you may wish to replace all affected {hardware} and software program. Which means you may wish to replace any Apple units to iOS 18.6, and for those who use Chrome or a Chromium-based browser (like Microsoft Edge or Opera) you may wish to replace it to the most recent model.

You possibly can usually set up Apple updates, similar to on an iPhone, from Settings > Basic > Software program Replace. On Chrome, click on the three dots within the high proper, then go to Assist > About Google Chrome.