Zero-Day Security Alert — March 21, 2026: Apple iOS, macOS, and Safari Actively Exploited

Daily Security Briefing

March 21, 2026

CISA added three Apple vulnerabilities to the Known Exploited Vulnerabilities catalog on March 20, 2026. These affect iOS, iPadOS, macOS, watchOS, visionOS, tvOS, and Safari. All three are confirmed actively exploited in the wild and require patching by April 3, 2026.

1. Safari and WebKit Memory Corruption

CVE-2025-31277 | CVSS 8.8 | HIGH Severity | Actively Exploited

Affected Product

Apple Safari (prior to 18.6), iOS and iPadOS (prior to 18.6), macOS Sequoia (prior to 15.6), watchOS (prior to 11.6), visionOS (prior to 2.6), tvOS (prior to 18.6)

Description

A buffer overflow vulnerability exists in Apple WebKit that can be triggered by processing maliciously crafted web content. Successful exploitation leads to memory corruption, potentially allowing an attacker to execute arbitrary code on the target device. This is a network-based attack that requires only that a user visit or be directed to a malicious web page.

Attack Vector

Network-based (CVSS AV:N). Low complexity, no privileges required. Requires user interaction -- the victim must open or navigate to attacker-controlled web content via Safari or any WebKit-based browser. This is the highest-severity CVE in this batch due to its remote exploitability.

Remediation

Update to Safari 18.6, iOS/iPadOS 18.6, macOS Sequoia 15.6, watchOS 11.6, visionOS 2.6, or tvOS 18.6. Organizations managing Apple devices via MDM should push these updates immediately. Block known malicious domains at the network perimeter as an interim measure.

CISA Remediation Due Date: April 3, 2026

2. Apple Kernel Improper Locking -- Shared Memory Corruption

CVE-2025-43510 | CVSS 7.8 | HIGH Severity | Actively Exploited

Affected Product

Apple iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Tahoe 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, watchOS 26.1, visionOS 26.1, tvOS 26.1, iOS 26.1 and iPadOS 26.1

Description

A memory corruption vulnerability caused by improper lock state checking allows a malicious application to cause unexpected changes in memory shared between processes. This can be leveraged to tamper with data across process boundaries, potentially leading to privilege escalation or information disclosure on affected devices.

Attack Vector

Local (CVSS AV:L). Low complexity, no privileges required, but requires user interaction -- the victim must install or run a malicious application. Exploitation grants the attacker the ability to corrupt shared memory between processes.

Remediation

Update to iOS 18.7.2/iPadOS 18.7.2, iOS 26.1/iPadOS 26.1, macOS Tahoe 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, watchOS 26.1, visionOS 26.1, or tvOS 26.1. Restrict sideloading and enforce app installation only from trusted sources via MDM policies.

CISA Remediation Due Date: April 3, 2026

3. Apple Kernel Buffer Overflow -- System Termination and Kernel Memory Write

CVE-2025-43520 | CVSS 7.1 | HIGH Severity | Actively Exploited

Affected Product

Apple iOS 18.7.2 and earlier, iPadOS 18.7.2 and earlier, macOS Tahoe 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, watchOS 26.1, visionOS 26.1, tvOS 26.1, iOS 26.1 and iPadOS 26.1

Description

A classic buffer overflow vulnerability in the Apple kernel caused by improper memory handling allows a malicious application to cause unexpected system termination or write to kernel memory. Kernel memory write capability can be leveraged for full device compromise, including privilege escalation to root and persistent implant installation.

Attack Vector

Local (CVSS AV:L). Low complexity, requires low privileges, no user interaction needed. An attacker with a foothold on the device (e.g., via a malicious app or chained exploit) can trigger the overflow to write arbitrary data to kernel memory or crash the system.

Remediation

Update to iOS 18.7.2/iPadOS 18.7.2, iOS 26.1/iPadOS 26.1, macOS Tahoe 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, watchOS 26.1, visionOS 26.1, or tvOS 26.1. This vulnerability is particularly dangerous when chained with CVE-2025-31277 (the WebKit flaw above), as a remote web-based entry point can escalate to kernel-level code execution. Prioritize patching accordingly.

CISA Remediation Due Date: April 3, 2026

This report is generated automatically from NVD and CISA KEV data.