Apple has rolled out the iOS 18.5 security update, addressing a wide range of serious vulnerabilities that could allow attackers to execute malicious code just by tricking users into opening a booby-trapped image, video, or website. The update comes alongside new patches for iPadOS, macOS, WatchOS, tvOS, and visionOS.
The latest fixes include critical flaws in AppleJPEG and CoreMedia, both of which could be exploited by simply opening a rigged media file. Apple warns that attackers could use these weaknesses to run arbitrary code with the same privileges as the app viewing the file.
Additional issues have been resolved in CoreAudio, CoreGraphics, and ImageIO, where vulnerabilities in the way files are parsed could lead to data leaks or app crashes. Many of these flaws are especially dangerous because they require no user interaction beyond opening a compromised file.
WebKit Flaws, FaceTime Mute Bug, and Kernel Hardening Also Addressed
The iOS 18.5 update also patches at least nine vulnerabilities in WebKit, Apple’s browser engine, including bugs that allow malicious websites to crash Safari or run unauthorized code. One particularly serious flaw allowed websites to trigger app behavior typically restricted by security protocols.
A significant privacy issue in FaceTime has also been fixed: a bug that continued transmitting audio even after the user had hit the mute button. This raised concerns over user trust in the app’s privacy controls, especially in sensitive conversations.
Deeper in the system, Apple hardened the iOS kernel by fixing two memory corruption bugs. A separate patch addresses a libexpat bug (CVE-2024-8176)—a known vulnerability affecting numerous open-source projects.
Other notable fixes include:
- A Baseband flaw (CVE-2025-31214) that could let an attacker intercept traffic on the new iPhone 16e.
- A privilege escalation vulnerability in mDNSResponder (CVE-2025-31222).
- A data exposure issue in Notes that could allow access to private information from the lock screen.
- Security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.
Apple did not report any active exploitation of these vulnerabilities in the wild, but the sheer number of high-risk bugs makes this update an urgent install for all users.
The iOS 18.5 update is available for iPhone XS and later, while the iPadOS 18.5 release supports iPad Pro (2018+), iPad Air 3, iPad 7, iPad mini 5, and newer devices. Updates are also available for macOS Sequoia, Sonoma, and Ventura, in addition to WatchOS, tvOS, and visionOS.
