Apple Broadens iOS 18.7.7 Update to Safeguard Users from DarkSword Exploit
On April 1, 2026, Apple expanded the reach of its iOS 18.7.7 and iPadOS 18.7.7 updates to encompass a wider array of devices. This strategic move aims to fortify millions of users still operating on iOS 18 against DarkSword, a sophisticated exploit capable of covertly extracting extensive personal data.
Understanding the DarkSword Threat
DarkSword is an advanced iOS exploit kit that emerged in November 2025. It targets devices running iOS versions 18.4 through 18.7 by chaining six distinct vulnerabilities, including flaws in JavaScriptCore, `dyld`, and the iOS sandbox. This exploit achieves full kernel-level code execution with minimal user interaction, often requiring just a single visit to a malicious website.
Once activated, DarkSword can swiftly exfiltrate sensitive information such as passwords, messages, browser history, location data, cryptocurrency wallets, and Apple Health records. The exploit is designed to erase its traces post-execution, making detection challenging.
The Escalating Risk
In March 2026, the DarkSword toolkit was publicly leaked on GitHub, significantly lowering the barrier for less sophisticated threat actors to deploy it. Prior to this leak, DarkSword had been utilized by various commercial surveillance vendors and state-sponsored entities to target individuals in countries including Saudi Arabia, Turkey, Malaysia, and Ukraine.
Apple’s Proactive Response
Initially released on March 24, 2026, iOS 18.7.7 was extended to a broader device range on April 1, 2026, specifically to counter the DarkSword threat. This marks a departure from Apple’s usual policy, which typically requires users to upgrade to the latest major iOS version to receive security patches. By backporting these critical fixes, Apple aims to protect the approximately 20% of users still on iOS 18.
Key Vulnerabilities Addressed
The iOS 18.7.7 update addresses over 20 vulnerabilities across critical system components:
– 802.1X (CVE-2026-28865): An authentication flaw that could allow privileged network attackers to intercept traffic. Resolved through improved state management.
– Kernel (CVE-2026-20687): A use-after-free bug enabling applications to cause unexpected system termination or write to kernel memory.
– Kernel (CVE-2026-28867 / CVE-2026-28868): Two separate flaws that could leak sensitive kernel state and kernel memory.
– Security Framework (CVE-2026-28864): A permissions flaw granting local attackers access to Keychain items.
– WebKit (CVE-2026-28861, CVE-2026-20643, CVE-2026-20665, CVE-2026-28871): Multiple browser-engine bugs allowing cross-site scripting, Same Origin Policy bypass, Content Security Policy evasion, and cross-origin script handler access via malicious web content.
– AppleKeyStore (CVE-2026-20637): A use-after-free flaw that could lead to unexpected system termination.
– CoreMedia (CVE-2026-20690): An out-of-bounds access bug triggered by malicious audio streams in media files.
– iTunes Store (CVE-2025-43534): A path handling flaw allowing physical-access bypass of Activation Lock.
– curl (CVE-2025-14524): An open-source vulnerability causing unintended transmission of sensitive data over incorrect connections.
Devices Eligible for the Update
The expanded update applies to a wide range of devices, including:
– iPhone XR through iPhone 16e
– iPad models from the 5th-generation iPad mini to iPad Pro M4
Users with Automatic Updates enabled will receive iOS 18.7.7 automatically.
Enhanced Protection with Lockdown Mode
For users at heightened risk, Apple recommends enabling Lockdown Mode, a feature designed to provide robust protection against sophisticated cyber threats like DarkSword.
Conclusion
Apple’s decision to extend the iOS 18.7.7 update underscores the severity of the DarkSword exploit and the company’s commitment to user security. By proactively addressing these vulnerabilities, Apple aims to safeguard its users from potential data breaches and maintain the integrity of its devices.
