Apple patches security flaw exploited in Chrome zero-day attacks

Apple has released security updates to address a high-severity vulnerability that has been exploited in zero-day attacks targeting Google Chrome users.

Tracked as CVE-2025-6558, the security bug is due to the incorrect validation of untrusted input in the ANGLE (Almost Native Graphics Layer Engine) open-source graphics abstraction layer, which processes GPU commands and translates OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.

The vulnerability enables remote attackers to execute arbitrary code within the browser’s GPU process via specially crafted HTML pages, potentially allowing them to escape the sandbox that isolates browser processes from the underlying operating system.

Vlad Stolyarov and Clément Lecigne of Google’s Threat Analysis Group (TAG), a team of security experts dedicated to defending Google customers against state-sponsored attacks, discovered CVE-2025-6558 in June and reported it to the Google Chrome team, who patched it on July 15 and tagged it as actively exploited in attacks.

While Google has yet to provide further information on these attacks, Google TAG frequently discovers zero-day flaws exploited by government-sponsored threat actors in targeted campaigns aimed at deploying spyware on devices of high-risk individuals, including dissidents, opposition politicians, and journalists.

On Tuesday, Apple released WebKit security updates to address the CVE-2025-6558 vulnerability for the following software and devices:

• iOS 18.6 and iPadOS 18.6: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• macOS Sequoia 15.6: Macs running macOS Sequoia
• iPadOS 17.7.9: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
• tvOS 18.6: Apple TV HD and Apple TV 4K (all models)
• visionOS 2.6: Apple Vision Pro
• watchOS 11.6: Apple Watch Series 6 and later

“Processing maliciously crafted web content may lead to an unexpected Safari crash,” Apple explained when describing the impact of CVE-2025-6558 successful exploitation. “This is a vulnerability in open source code and Apple Software is among the affected projects.”

On July 22, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. cyber defense agency, also added this security bug to its catalog of vulnerabilities known to be exploited in attacks, requiring federal agencies to patch their software by August 12.

While the Binding Operational Directive (BOD) 22-01, which mandates federal agencies to secure their systems, only applies to federal agencies, CISA advised all network defenders to prioritize patching the CVE-2025-6558 vulnerability as soon as possible.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned last week.

Apple has also patched five zero-day flaws exploited in targeted attacks since the start of the year, including one zero-day in January (CVE-2025-24085), one in February (CVE-2025-24200), a third in March (CVE-2025-24201), and two more in April (CVE-2025-31200 and CVE-2025-31201).