On March 24, 2026, Apple released iOS 18.7.7 and iPadOS 18.7.7 for a limited set of devices — iPhone XS, XS Max, XR, and the 7th-generation iPad. On April 1, it extended availability to all supported models, from iPhone 11 through iPhone 16. The reason is DarkSword, a full-chain exploit kit that strings together six vulnerabilities to compromise an iPhone from a single web page visit.
How DarkSword works
DarkSword does not exploit a single flaw. According to analyses published by security researchers, the exploit kit chains six vulnerabilities spread across WebKit, Safari, the dynamic loader, and the kernel to achieve full device compromise with no additional user interaction beyond loading a page. Once the chain runs, the malware exfiltrates messages, browsing history, location data, and credentials from cryptocurrency applications to a remote server.
The complexity — six bugs across distinct components, coordinated in sequence — points to substantial development effort and a specific target profile. This is not opportunistic.
The WebKit CVEs involved
iOS 18.7.7 closes five WebKit vulnerabilities that form part of the DarkSword chain or otherwise represented real risks for users on devices not yet running iOS 26:
- CVE-2026-20665: Content Security Policy bypass via maliciously processed web content.
- CVE-2026-20643: Same Origin Policy violation allowing cross-origin scripts to access protected data.
- CVE-2025-43376: DNS leakage issue exposing browsing information.
- CVE-2026-28861: improper access to script handlers inside WKWebView.
- CVE-2026-28871: XSS vulnerability in the rendering engine.
The kernel patches cover three separate CVEs — CVE-2026-28868, CVE-2026-28867, and CVE-2026-20687 — including a use-after-free and kernel state information leakage.
Why this release is unusual
Apple almost never ships security updates for an older OS version while the current release — iOS 26.4, in this case — is already available and covers the same vulnerabilities. The backport to iOS 18 indicates Apple judged the risk serious enough not to wait for users to update to iOS 26 on their own timeline.
Not every device compatible with iOS 18 supports iOS 26. iPhone 11 and iPhone SE second generation, for example, receive iOS 18.7.7 but cannot run iOS 26. For those users, the backport is not an alternative to a major upgrade — it is the only way to get the protection.
What this means for developers
Developers shipping apps that embed web content via WKWebView should note that the WebKit CVEs closed by this update were live vulnerabilities on every device not yet running iOS 18.7.7. Users on iOS 18 who had not yet received the update were exposed to CSP bypass and Same Origin Policy bypass from within a WebView.
There is nothing to fix in the app’s code — the patch is in the OS. But it is worth checking, in any internal support policies, whether users on iOS 18 are being prompted to update. If the app renders untrusted web content through WKWebView, the attack surface was real.
iOS 26.4, released on March 24 alongside the first wave of iOS 18.7.7, covers the same vulnerabilities for anyone already on iOS 26.
Devices covered
iOS 18.7.7 is available for iPhone XR, XS, XS Max, iPhone 11 (all models), iPhone SE second generation, iPhone 12, 13, SE third generation, and iPhone 14, 15, and 16 (all models). iPads compatible with iPadOS 18 receive iPadOS 18.7.7 with the same patches.
The longer-term question is whether Apple will adopt a more systematic backport policy for exploit kits of this severity, or whether iOS 18.7.7 remains an isolated exception. That decision has direct implications for teams maintaining apps across a wide iOS version range and trying to assess residual risk for their users.
