Since WWDC 2025 in early June, the tech community has had its attention fixed on iOS 26. It makes sense: Like all major software updates, the new OS will ship with big new features and changes, but this year’s changes are bigger than most, including Apple’s “Liquid Glass” redesign. But despite the hoopla, iOS 26 isn’t the next update coming to your iPhone (unless you install the beta, of course).
But even as Apple has been finalizing its big fall upgrade, it has subsequently been working on a much smaller update that is, as of today, now available to download: iOS 18.6.
Unlike iOS 26, iOS 18.6 doesn’t change much about your overall iPhone experience. That’s to be expected: This is the sixth major update to iOS 18, so there aren’t many features left for Apple to add. In fact, the only new feature to ship with iOS 18.6 applies exclusively to users in the EU. Those users will find an updated experience when downloading apps and app marketplaces from the web. (EU law forced Apple to allow for this app “sideloading” process, while those of us outside Europe are still locked in to Apple’s App Store.)
Instead of big swings, iOS 18.6 seems to be all about stability. You might not know that from the release notes, though. When you hit up the Software Update screen on your iPhone, you’ll see the following note: “This update provides important bug fixes and security updates, and fixes an issue in Photos that could prevent memory movies from being shared.” It’s always good to squash any bugs within iOS, but I’m not sure how many of us were devastated to run into issues sharing memories out of Photos.
iOS 18.6 is a security update
Instead, you need look just below this bug fix to see the key focus of iOS 18.6. Here, Apple shares a link to its security releases website, a page where the company hosts all of the release notes for its security patches. For some reason, Apple does not disclose these security fixes in the general release notes you see on your iPhone. Unless you visit this website, you’ll only see the new features and bug fixes the company discloses in the Software Update page.
If you visit the security notes for iOS 18.6, you’ll see Apple has 24 patches for various issues across the entire OS. The good news is, none of these flaws appear to be zero-days. Those are the most dangerous types of security vulnerabilities: If a flaw is publicly disclosed or actively exploited before Apple has a chance to issue a patch, it invites hackers to use it to target users.
What do you think so far?
Still, there are some concerning vulnerabilities in this list. There’s an Accessibility flaw that could exploit VoiceOver to read your iPhone’s passcode out loud; a CoreMedia Playback flaw that could allow an app to access your sensitive data; a flaw with Mail that might load remote content even when “Load Remote Images” is disabled, which could let trackers or malicious files work when they’re not supposed to; and a WebKit flaw that could allow a malicious website to “spoof” a URL in your address bar, or, in other words, make you think you’re visiting a legitimate site when you’re really visiting something else entirely.
You can see all 24 flaws listed below, each with what iOS service it affects, its CVE (the identifier used to track the vulnerability), the impact of the flaw, and how it was resolved:
-
Accessibility (CVE-2025-31229): Passcode may be read aloud by VoiceOver. A logic issue was addressed with improved checks.
-
Accessibility (CVE-2025-43217): Privacy Indicators for microphone or camera access may not be correctly displayed. The issue was addressed by adding additional logic.
-
afclip (CVE-2025-43186): Parsing a file may lead to an unexpected app termination. The issue was addressed with improved memory handling.
-
CFNetwork (CVE-2025-43223): A non-privileged user may be able to modify restricted network settings. A denial-of-service issue was addressed with improved input validation.
-
CoreAudio (CVE-2025-43277): Processing a maliciously crafted audio file may lead to memory corruption. The issue was addressed with improved memory handling.
-
CoreMedia (CVE-2025-43210): Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking.
-
CoreMedia Playback (CVE-2025-43230): An app may be able to access user-sensitive data. The issue was addressed with additional permissions checks.
-
ICU (CVE-2025-43209): Processing maliciously crafted web content may lead to an unexpected Safari crash. An out-of-bounds access issue was addressed with improved bounds checking.
-
ImageIO (CVE-2025-43209): Processing a maliciously crafted image may result in disclosure of process memory. An out-of-bounds read was addressed with improved input validation.
-
libnetcore (CVE-2025-43202): Processing a file may lead to memory corruption. This issue was addressed with improved memory handling.
-
libxml2 (CVE-2025-7425): Processing a file may lead to memory corruption. This is a vulnerability in open source code and Apple Software is among the affected projects.
-
libxslt (CVE-2025-7424): Processing maliciously crafted web content may lead to memory corruption. This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
-
Mail Drafts (CVE-2025-31276): Remote content may be loaded even when the ‘Load Remote Images’ setting is turned off. This issue was addressed through improved state management.
-
Metal (CVE-2025-43234): Processing a maliciously crafted texture may lead to unexpected app termination. Multiple memory corruption issues were addressed with improved input validation.
-
Model I/O (CVE-2025-43224/CVE-2025-43221): Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. An out-of-bounds access issue was addressed with improved bounds checking.
-
Model I/O (CVE-2025-31281): Processing a maliciously crafted file may lead to unexpected app termination. An input validation issue was addressed with improved memory handling.
-
WebKit (CVE-2025-43228: Visiting a malicious website may lead to address bar spoofing. The issue was addressed with improved UI.
-
WebKit (CVE-2025-43227): Processing maliciously crafted web content may disclose sensitive user information. This issue was addressed through improved state management.
-
WebKit (CVE-2025-31278/CVE-2025-31277/CVE-2025-31273): Processing maliciously crafted web content may lead to memory corruption. The issue was addressed with improved memory handling.
-
WebKit (CVE-2025-43214/CVE-2025-43213CVE-2025-43212): Processing maliciously crafted web content may lead to an unexpected Safari crash. The issue was addressed with improved memory handling.
-
WebKit (CVE-2025-43211): Processing web content may lead to a denial-of-service. The issue was addressed with improved memory handling.
-
WebKit (CVE-2025-43265): Processing maliciously crafted web content may disclose internal states of the app. An out-of-bounds read was addressed with improved input validation.
-
WebKit (CVE-2025-43216): Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management.
-
WebKit (CVE-2025-6558): Processing maliciously crafted web content may lead to an unexpected Safari crash. This is a vulnerability in open source code and Apple Software is among the affected projects.
How to install iOS 18.6
If you have an iPhone that is compatible with iOS 18, just open Settings and head to General > Software Update. Let this page load for a moment, then follow the on-screen instructions to download and install iOS 18.6.
