When Apple dropped iOS 18.6 this week, it didn’t ship a bunch of new features and changes. Indeed, when you update your iPhone, it’ll appear exactly as it did running iOS 18.5. Under the hood, however, the update introduced more than 20 patches for security vulnerabilities across iOS, making it an important security update for all compatible devices.
When Apple released its security notes for the update, it did not indicate whether any of the flaws were zero-days—in other words, whether any of the flaws had been exploited or publicly disclosed before a patch was readily available. That puts the user at an advantage, since it suggests bad actors haven’t figured out how to take advantage of any of the now-fixed flaws. However, as it turns out, one of these flaws was actively exploited—just not against an Apple product.
The vulnerability in question is tracked as CVE-2025-6558. Per Apple’s release notes, this is a flaw that could crash Safari when processing malicious web content. As Apple states, the vulnerability isn’t an iOS-specific flaw; rather, it’s a vulnerability in open source code, and Apple’s software is impacted.
While Apple says this vulnerability was not exploited against Apple software, at least at the time the release notes were published, one piece of software that appears to have been actively exploited using this flaw is Google Chrome. As reported by Bleeping Computer, CVE-2025-6558 can allow bad actors to run their own code within Chrome’s GPU process when visiting malicious websites. This could enable hackers to break into the operating system of the target’s machine. If you’re using an Apple product, that would mean iOS, macOS, iPadOS, tvOS, visionOS, or watchOS could be compromised from this attack. (Apple released security updates for all of these OSes, respectively.)
The flaw is serious business: The Cybersecurity and Infrastructure Security Agency (CISA) listed this flaw among its Known Exploited Vulnerabilities Catalog, and now requires federal agencies to update their software by Aug. 12.
Protecting your devices from this zero-day
To make sure you protect your devices from this vulnerability, you’ll want to update all affected hardware and software. That means you’ll want to update any Apple devices to iOS 18.6, and if you use Chrome or a Chromium-based browser (like Microsoft Edge or Opera) you’ll want to update it to the latest version.
You can typically install Apple updates, such as on an iPhone, from Settings > General > Software Update. On Chrome, click the three dots in the top right, then go to Help > About Google Chrome.
