CISA warns of actively exploited Apple vulnerabilities affecting macOS, iOS, and iPadOS

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that several Apple vulnerabilities affecting macOS, iOS, iPadOS, Safari, and other Apple platforms are actively exploited in real-world attacks. The agency added three flaws to its Known Exploited Vulnerabilities (KEV) catalog on March 5, 2026, signaling that attackers are already leveraging them and that organizations should patch affected systems as soon as possible.

The KEV catalog lists vulnerabilities that CISA confirms are being exploited in the wild. When a flaw appears in this catalog, federal agencies must prioritize remediation because attackers may use the vulnerability to gain access, run malicious code, or compromise devices and networks.

These Apple vulnerabilities involve memory handling errors and arithmetic logic flaws that could allow attackers to execute code on affected systems. Some attacks may occur when users process specially crafted web content or install malicious applications that exploit the weaknesses.

CISA stated that “the Known Exploited Vulnerabilities Catalog is a living list of vulnerabilities that carry significant risk to federal enterprises because they are actively exploited.”

Newly exploited Apple vulnerabilities

CISA added the following vulnerabilities to its KEV catalog.

Use-after-free vulnerabilities occur when software continues using memory after it has been freed and potentially reassigned. Attackers can exploit that condition to overwrite memory and run malicious code.

Integer overflow flaws happen when a program processes numbers larger than the storage limit, causing unexpected behavior that attackers may manipulate to bypass security checks or execute arbitrary instructions.

Why these flaws matter

These vulnerabilities allow attackers to execute code, escalate privileges, or compromise Apple devices after delivering malicious content or applications. Because Apple platforms are widely used across corporate networks and government agencies, exploitation of these flaws could enable attackers to move laterally, steal sensitive data, or deploy additional malware.

Security agencies often treat vulnerabilities that allow arbitrary code execution or kernel-level access as high priority because they can give attackers deep control over a device.

CISA noted that it currently has no confirmation linking these vulnerabilities to ransomware campaigns. However, the agency stresses that active exploitation still represents a serious threat because attackers frequently combine multiple vulnerabilities to escalate attacks inside networks.

CISA deadline for federal agencies

Under Binding Operational Directive 22-01, federal civilian executive branch agencies must remediate vulnerabilities listed in the KEV catalog within a defined timeline. For these Apple vulnerabilities, CISA requires agencies to apply fixes by March 26, 2026.

Although this mandate applies specifically to U.S. federal agencies, CISA recommends that private organizations follow the same timeline when possible because attackers often target widely deployed software vulnerabilities.

Recommended defensive actions

Organizations managing Apple devices should take the following steps immediately.

• Install the latest Apple security updates for macOS, iOS, iPadOS, Safari, and related platforms.
• Review device management policies to ensure operating systems and applications receive updates automatically.
• Monitor devices for suspicious behavior that could indicate exploitation attempts.
• Follow vendor guidance and patch management procedures for enterprise environments.
• Disable or isolate vulnerable systems if patches cannot be applied immediately.

Keeping systems updated remains one of the most effective defenses against vulnerabilities that attackers actively exploit.

Vulnerability overview

FAQ