Apple has released security updates to address a high-severity vulnerability that has been exploited in zero-day attacks targeting Google Chrome users.
Tracked as CVE-2025-6558, the security bug is due to the incorrect validation of untrusted input in the ANGLE (Almost Native Graphics Layer Engine) open-source graphics abstraction layer, which processes GPU commands and translates OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.
The vulnerability enables remote attackers to execute arbitrary code within the browser's GPU process via specially crafted HTML pages, potentially allowing them to escape the sandbox that isolates browser processes from the underlying operating system.
Vlad Stolyarov and Clément Lecigne of Google's Threat Analysis Group (TAG), a team of security experts dedicated to defending Google customers against state-sponsored attacks, discovered CVE-2025-6558 in June and reported it to the Google Chrome team, who patched it on July 15 and tagged it as actively exploited in attacks.
While Google has yet to provide further information on these attacks, Google TAG frequently discovers zero-day flaws exploited by government-sponsored threat actors in targeted campaigns aimed at deploying spyware on devices of high-risk individuals, including dissidents, opposition politicians, and journalists.
On Tuesday, Apple released WebKit security updates to address the CVE-2025-6558 vulnerability for the following software and devices:
iOS 18.6 and iPadOS 18.6: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
macOS Sequoia 15.6: Macs running macOS Sequoia
iPadOS 17.7.9: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
tvOS 18.6: Apple TV HD and Apple TV 4K (all models)
... continue reading