Apple released iOS 18.7 and iPadOS 18.7 on Monday to close a lengthy list of security holes.
The updates address a wide array of threats, from unexpected app or system termination to an app being able to spy on users’ keystrokes. If you’re not updating to iOS 26 or iPadOS 26, which also arrived Monday, you should grab these security updates as soon as possible.
iOS 18.7 and iPadOS 18.7 security patches address wide array of bugs
Monday’s security patches arrived alongside iOS 26, macOS 26, iPadOS 26, watchOS 26, visionOS 26 and tvOS 26. Those updates bring Apple’s new Liquid Glass user interface to devices that can run them.
For anyone with an iPhone or iPad that can’t run the flashy new operating systems, or those who just want to put off the controversial Liquid Glass upgrade, today’s security patches offer protection from a wide range of potential problems.
Apple detailed a surprisingly lengthy list of threats in its security notes about iOS 18.7 and iPadOS 18.7. Some of them sound pretty gnarly.
Aside from system processes, the bugs also affect Apple’s Shortcuts and Notes apps. Here’s Apple’s summary of the bug fixes in the new operating systems for iPhone and iPad.
Audio
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2025-43346: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
CoreAudio
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted video file may lead to unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2025-43349: @zlluny working with Trend Micro Zero Day Initiative
IOHIDFamily
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2025-43302: Keisuke Hosoda
Kernel
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: A UDP server socket bound to a local interface may become bound to all interfaces
Description: A logic issue was addressed with improved state management.
CVE-2025-43359: Viktor Oreshkin
LaunchServices
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to monitor keystrokes without user permission
Description: The issue was addressed with improved checks.
CVE-2025-43362: Philipp Baldauf
libc
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: A denial-of-service issue was addressed with improved validation.
CVE-2025-43299: Nathaniel Oh (@calysteon)
CVE-2025-43295: Nathaniel Oh (@calysteon)
MobileStorageMounter
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause a denial-of-service
Description: A type confusion issue was addressed with improved memory handling.
CVE-2025-43355: Dawuge of Shuffle Team
Notes
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: An attacker with physical access to an unlocked device may be able to view an image in the most recently viewed locked note
Description: The issue was addressed with improved handling of caches.
CVE-2025-43203: Tom Brzezinski
Shortcuts
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: A shortcut may be able to bypass sandbox restrictions
Description: A permissions issue was addressed with additional sandbox restrictions.
CVE-2025-43358: 정답이 아닌 해답
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: A website may be able to access sensor information without user consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire
WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher
Apple released no equivalent updates for macOS or watchOS.
What’s new in iOS 26, macOS 26 and the other Liquid Glass operating systems
As mentioned, the iOS 18.7 and iPadOS 18.7 security updates aren’t the only upgrades Apple released Monday. iPadOS 26, iPadOS 26, watchOS 26, macOS 26, visionOS 26 and tvOS 26 all arrived, officially introducing the glossy Liquid Glass UI to the Apple ecosystem.
Check out the hot new features in the other major updates Apple released today:
- Everything new in iOS 26
- Best new features in iPadOS 26
- Everything new in watchOS 26
- Everything new in macOS 26 Tahoe
- Everything new in visionOS 26
Lewis Wallace is the managing editor of Cult of Mac and author of our weekly newsletter, The Weekender.
He’s a San Francisco-based writer and editor specializing in technology and culture. He loves his iPhone, hates Siri, and appreciates any hardware that combines form and function.
Prior to Cult of Mac, he juggled words and ideas as culture editor at Wired.com, homepage editor at TechTV, news product manager at NBCi, copy editor at PC World, reporter at The (Hayward) Daily Review and editor in chief of EveryBody’s News in Cincinnati.
He earned a bachelor of general studies degree with a journalism certificate from the University of Cincinnati. While in school, he worked as the entertainment editor of The News Record and as editor in chief of Clifton Magazine.
He’s also a bass player, who’s recorded and performed around the United States with Those Darn Accordions, The Electric Boogie Dawgz and The Mad Maggies. When not writing, editing or laying down bass lines, he plays darts and serves on the board of the San Francisco Darts League.
