

























-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-03-24-2026-2 iOS 18.7.7 and iPadOS 18.7.7 iOS 18.7.7 and iPadOS 18.7.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/126793. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. 802.1X Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An attacker in a privileged network position may be able to intercept network traffic Description: An authentication issue was addressed with improved state management. CVE-2026-28865: Héloïse Gollier and Mathy Vanhoef (KU Leuven) AppleKeyStore Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination Description: A use after free issue was addressed with improved memory management. CVE-2026-20637: Johnny Franks (zeroxjf), an anonymous researcher Audio Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: A use-after-free issue was addressed with improved memory management. CVE-2026-28879: Justin Cohen of Google Clipboard Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access sensitive user data Description: This issue was addressed with improved validation of symlinks. CVE-2026-28866: Cristian Dinca (icmd.tech) CoreMedia Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing an audio stream in a maliciously crafted media file may terminate the process Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2026-20690: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative CoreUtils Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A user in a privileged network position may be able to cause a denial-of-service Description: A null pointer dereference was addressed with improved input validation. CVE-2026-28886: Etienne Charron (Renault) and Victoria Martini (Renault) Crash Reporter Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to enumerate a user's installed apps Description: A privacy issue was addressed by removing sensitive data. CVE-2026-28878: Zhongcheng Li from IES Red Team curl Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An issue existed in curl which may result in unintentionally sending sensitive information via an incorrect connection Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-14524 DeviceLink Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access sensitive user data Description: A parsing issue in the handling of directory paths was addressed with improved path validation. CVE-2026-28876: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs Focus Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to access sensitive user data Description: A logging issue was addressed with improved data redaction. CVE-2026-20668: Kirin (@Pwnrin) iCloud Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to enumerate a user's installed apps Description: A permissions issue was addressed with additional restrictions. CVE-2026-28880: Zhongcheng Li from IES Red Team ImageIO Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing a maliciously crafted file may lead to unexpected app termination Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org. CVE-2025-64505 iTunes Store Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A user with physical access to an iOS device may be able to bypass Activation Lock Description: A path handling issue was addressed with improved validation. CVE-2025-43534: iG0x72 and JJ of XiguaSec, Lehan Dilusha Jayasinghe Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to disclose kernel memory Description: A logging issue was addressed with improved data redaction. CVE-2026-28868: 이동하 (Lee Dong Ha of BoB 0xB6) Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to leak sensitive kernel state Description: This issue was addressed with improved authentication. CVE-2026-28867: Jian Lee (@speedyfriend433) Kernel Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause unexpected system termination or write kernel memory Description: A use after free issue was addressed with improved memory management. CVE-2026-20687: Johnny Franks (@zeroxjf) mDNSResponder Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to leak sensitive kernel state Description: This issue was addressed with improved authentication. CVE-2026-28867: Jian Lee (@speedyfriend433) Security Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A local attacker may gain access to user's Keychain items Description: This issue was addressed with improved permissions checking. CVE-2026-28864: Alex Radocea UIFoundation Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: An app may be able to cause a denial-of-service Description: A stack overflow was addressed with improved input validation. CVE-2026-28852: Caspian Tarafdar Vision Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Parsing a maliciously crafted file may lead to an unexpected app termination Description: The issue was addressed with improved memory handling. CVE-2026-20657: Andrew Becker WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: This issue was addressed through improved state management. WebKit Bugzilla: 304951 CVE-2026-20665: webb WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Processing maliciously crafted web content may bypass Same Origin Policy Description: A cross-origin issue in the Navigation API was addressed with improved input validation. WebKit Bugzilla: 306050 CVE-2026-20643: Thomas Espach WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A remote attacker may be able to view leaked DNS queries with Private Relay turned on Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 295943 CVE-2025-43376: Mike Cardwell of grepular.com, Bob Lord WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: A malicious website may be able to access script message handlers intended for other origins Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 307014 CVE-2026-28861: Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team WebKit Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack Description: A logic issue was addressed with improved checks. WebKit Bugzilla: 305859 CVE-2026-28871: @hamayanhamayan Additional recognition Safari We would like to acknowledge @RenwaX23 for their assistance. This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 18.7.7 and iPadOS 18.7.7". All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmnDIq0ACgkQ4Ifiq8DH 7PUFaw/9G3jAXEudRiecXeZp9k/N+UQjmqDFpRyTWcWna8xafXl+XdMP0oLha0P6 ENk+zYbval1EO32jsxGjD04APryEkIBIMeQzeNTdlFTH6jUhPT1gFc1n6kXIMviZ +dw31YSO6iz4gbYe3rMGqeDinE7IoPxFVky+6t70YseqE9HBq6Hn2ABpVlfoSwpm qicn+A6GrN7vAfHlnPXnehaJjOaVRJY55w5F4ISwqa/RcPlbdYtakXpon0be2Aun uq6Syarq69l3T4rCqfzhZMoq8QsnqT5V6aYewMHuojsg2etPHc/NPM5PjgaM4CB0 vy6eHLMXXvhofNdNIBw54glm6JZf9+ARrTDuHdsu3tLMteJeHdyLcFsANTztYeyQ tmBJgDWGZipwXC+ju5n8SF1f+i5oU1cMSRtu19EyeeWK2HZOCq603w+uk99SOZqK EZuc0/dmH4BYt0CvZ7P0wYh5oiIkAkRLznQE86a/+7K7PyKBgE6ezxRuq3tN9ExI n09WVCXCW47n1dUEs9FfGNRO0Cb6YIQ2hX4zQQJWEfQcKwYzr66mSEQvzTglDJPk yUF9Y5FbcJ/h7IWWGQr1PfnFTpbCMv9Pym1SRe0NrhoNWGxEP9ewHBkPRc3Gc1aB sNwyHy+M4iMaF1AFHHu4OjRf8vG7NLJdPx26RhIeL8ihIUcfF9U= =JY61 -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。