Apple issues security updates to fix zero-day flaw used in Chrome attacks — update your iPhone and Mac right now

Chrome browser on iPhone
(Image credit: Shutterstock)

Apple users should be sure to update their devices to iOS 18.6, particularly if they’re also Chrome users, as the latest software version includes a security patch that addresses a high-severity exploit that has been targeting the browser in zero-day attacks.

As reported by Bleeping Computer, the zero-day flaw in question (tracked as CVE-2025-6558) involves an incorrect validation of untrusted input in an open-source graphics abstraction layer.

It then processes GPU commands and translates API calls, which enables remote attackers to execute arbitrary code within the browser’s GPU process via specially crafted HTML pages. This could potentially allow them to escape the sandbox that isolates browser processes from the underlying operating system.

All this to say that, according to BGR, if you don’t update Chrome, you could be opening yourself up to being attacked just by visiting a malicious website. Attackers could run code on your device and bypass the protections that normally keep your browser safe and from there perform other malicious activities like running malware on your phone, stealing passwords, deploying ransomware or botnets or recording clipboard or webcam views.

The flaw was discovered in June by the Google TAG team and reported to Chrome, who patched it in July and tagged it as actively exploited. As per usual, Google has yet to provide much additional information about the attacks. However, it is well-known that TAG is often responsible for discovering flaws that are exploited by government-sponsored threat actors in targeted campaigns.

Apple released WebKit security updates on Tuesday that addressed the vulnerability, which affects iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, iPadOS 17.7.9, tvOS 18.6, visionOS 2.6, watchOS 11.6.

In its security statement, Apple said that “Processing maliciously crafted web content may lead to an unexpected Safari crash.” CISA (Cybersecurity and Infrastructure Security Agency) added this security bug to its catalog of vulnerabilities known to be exploited in attacks on July 22, requiring federal agencies patch their software by August 12th.

Updating your phone, computer and of course, your browser, is something you should be doing regularly and a zero-day flaw like this one which could be exploited by hackers in their attacks is exactly the reason why.


Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.

More from Tom's Guide

TOPICS
Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.