Apple Releases Emergency Patches for Three Actively Exploited WebKit Vulnerabilities

Apple has pushed emergency security updates for iOS 19.3.1, iPadOS 19.3.1, macOS Sequoia 15.3.1, and Safari 18.3.1 to address three WebKit zero-day vulnerabilities that have been exploited in highly targeted attacks against journalists and human rights activists.

The vulnerabilities — CVE-2026-23529, CVE-2026-23530, and CVE-2026-23531 — form an exploit chain that allows complete device compromise through a single malicious link. No user interaction beyond clicking the link is required; the exploit bypasses all iOS security mitigations including PAC and KTRR.

Citizen Lab at the University of Toronto discovered the exploit chain after analyzing the iPhone of a journalist working in the Middle East. The attack was attributed to a commercial spyware vendor that Citizen Lab has not yet named publicly.

"This is one of the most sophisticated zero-click exploit chains we've ever analyzed," said Bill Marczak, senior researcher at Citizen Lab. "It demonstrates that despite Apple's significant investments in security, the commercial spyware industry continues to find ways to compromise even fully updated devices."

Apple has not disclosed technical details about the vulnerabilities to prevent additional exploitation. The company has also announced that it will expand its Lockdown Mode with additional protections in iOS 19.4, expected next month.