Apple on Monday pushed out patches for security vulnerabilities across the macOS, iPhone and iPad software stack, warning that code-execution bugs that could be triggered simply by opening a rigged image, video or website.
The new iOS 18.5 update, rolled out alongside patches for iPadOS, covers critical bugs in AppleJPEG and CoreMedia with a major warning from Cupertino that attackers could craft malicious media files to run arbitrary code with the privileges of the targeted app.
The company also documented serious file-parsing vulnerabilities patched in CoreAudio, CoreGraphics, and ImageIO, each capable of crashing apps or leaking data if booby-trapped content is opened.
The iOS 18.5 update also provides cover for at least 9 documented WebKit flaws, some serious enough to lead to exploits that allow a hostile website to execute code or crash the Safari browser engine.
The company also patched a serious ‘mute-button’ flaw in FaceTime that exposes the audio conversation even after muting the microphone.
Beneath the interface, Apple said iOS 18.5 hardens the kernel against two memory-corruption issues and cleans up a libexpat flaw (CVE-2024-8176) that affects a broad range of software projects.
Other notable fixes include an issue in Baseband (CVE-2025-31214) that allows attackers in a privileged network position to intercept traffic on the new iPhone 16e line; a privilege escalation bug in mDNSResponder (CVE-2025-31222); an issue in Notes that expose data from a locked iPhone screen; and security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.
Apple did not indicate that any of the patched bugs have been exploited in the wild
The iOS 18.5 update is available for iPhone XS and later; the companion iPadOS release covers the iPad Pro (2018 and newer), iPad Air 3, iPad 7, iPad mini 5, and later models.
The company also shipped major updates for macOS Sequoia, macOS Sonoma, macOS Ventura, WatchOS, tvOS and visionOS.
Related: Apple Quashes Two Zero-Days With iOS, MacOS Patches
Related: Apple Ships iOS 18.3.2 to Fix Already-Exploited WebKit Flaw
Related: New iOS Security Feature Reboots Devices to Protect User Data
