iOS 18.7.7: The Security Gap Apple's Label Doesn't Mention

What Shipped on March 24 and Which Devices It Covers

The March 24 release covers a wider range of hardware than the iOS 18.7.7 headline suggests. Apple's iOS 18.7.7 security content page (HT126793) lists 25 distinct CVE entries across 19 system components, covering everything from the Kernel and WebKit to the Security framework's Keychain handling, CoreMedia audio processing, and the curl networking library. The affected devices are specifically the iPhone XR, iPhone XS, iPhone XS Max, and iPad 7th generation: the hardware generation whose maximum supported OS is iOS 18. Users on any device capable of running iOS 26 received their security coverage through iOS 26.4 on the same day; for a full picture of what changed on their devices through iOS 26.4, that release deserves its own review.

macOS users also received updates. Sequoia 15.7.5 carries approximately 56 security fixes, and Sonoma 14.8.5 carries approximately 50, both released simultaneously. The watchOS entries in this batch are a different category entirely. watchOS 5.3.10 and watchOS 8.8.2 shipped on March 24, 2026, but neither carries a single published CVE entry. Both exist for a single operational reason: keeping the activation and cloud messaging certificates current before they reach their scheduled January 2027 expiry date, which would otherwise cut off iCloud-dependent features on older Apple Watch hardware. watchOS 8.8.2 reaches Series 3 through Series 7 and the original Apple Watch SE; watchOS 5.3.10 reaches Series 1 and Series 2 devices.

The March 24 wave therefore represents three distinct tiers of Apple's legacy support operating at once: active security maintenance for iOS 18.x hardware, full security and feature updates for iOS 26.x hardware, and certificate continuity for Apple Watch hardware that has aged past security update eligibility entirely.

The Real Security Story Behind "Security Fixes Only"

iOS 18.7.7's 25 CVEs cover the expected range of components: three Kernel entries addressing memory layout disclosure and use-after-free conditions, five WebKit entries ranging from a Content Security Policy bypass to a Same Origin Policy bypass and a DNS query leak through Private Relay, a Security framework fix for unauthorized local Keychain access, and an 802.1X network authentication gap that allowed an attacker in a privileged network position to intercept traffic. None of the 25 CVEs in this specific release carry Apple's "actively exploited" designation, meaning there is no confirmed evidence that any of these particular vulnerabilities had been weaponized before the patch shipped.

That context matters only if you look at iOS 18.7.7 in isolation. Placed against the full 18.7.x series from September 2025 through March 2026, the picture shifts considerably. Apple's iOS 18.7.3 security bulletin explicitly states that CVE-2025-43529 "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26." That CVE, a use-after-free flaw in WebKit's JavaScriptCore engine with a CVSSv3.1 score of 9.8, gave attackers a path to run arbitrary code on a device simply by directing a target to a weaponized webpage. CVE-2025-14174, scored at 8.8, exploited a memory corruption condition in the ANGLE graphics library to punch through the WebKit sandbox boundary. Both were discovered and reported by Google's Threat Analysis Group, a team that typically tracks nation-state and commercial surveillance operations.

Three of the eight WebKit or kernel CVEs fixed across the 18.7.x series between September 2025 and March 2026 have confirmed in-the-wild exploitation records, a density of active exploitation that distinguishes this maintenance branch from prior iOS legacy series. That concentration is not coincidental: it is the footprint of a documented exploit chain.

Google's Threat Intelligence Group disclosed DarkSword on March 18, 2026, one week before iOS 18.7.7 shipped. DarkSword is a six-vulnerability exploit chain written entirely in JavaScript, capable of achieving full kernel-level device control from a single webpage visit on iOS 18.4 through 18.7, with no app installation and no user action beyond loading the page. The chain incorporates the CVE-2025-43529 WebKit zero-day patched in iOS 18.7.3, alongside kernel privilege escalation CVEs addressed in iOS 18.7.2. Three separate threat actors deployed it in confirmed campaigns: a suspected Russian espionage group targeting Ukrainian users, a Turkish commercial surveillance vendor operating in Turkey and Malaysia, and a third actor targeting users in Saudi Arabia. On March 23, 2026, the full DarkSword exploit code was leaked publicly on GitHub, the day before iOS 18.7.7 reached devices. What had been government-grade attack tooling became accessible to any attacker with basic web hosting capacity.

All six DarkSword CVEs are already patched in iOS 18.7.2 and 18.7.3. iOS 18.7.7 does not close the DarkSword vulnerabilities because those were addressed in prior point releases. What the GitHub leak changes is the threat environment for any iOS 18.x user who has not kept current through the December 2025 updates. Apple had not published full CVSS scores for the individual CVEs in iOS 18.7.7 itself at the time of publication; the severity analysis above draws on the 18.7.x series as a whole.

The Update Gap iOS 18 Users Don't Know They Have

Even users who install iOS 18.7.7 immediately operate under a structurally different protection model than users on iOS 26. Apple's Background Security Improvements support page (HT102657) specifies that the feature is supported and enabled starting with iOS 26.1, iPadOS 26.1, and macOS 26.1 only. The system delivers lightweight security patches for WebKit, Safari, and adjacent system libraries between full numbered update cycles, without requiring a software update restart and without changing the device's displayed version number.

Background Security Improvements are designed for the components most frequently targeted in mobile exploitation: the browser rendering engine and the system libraries that surround it. When Apple identifies a WebKit vulnerability being actively exploited, the system allows a fix to reach iOS 26.x devices silently, typically overnight, without the user ever seeing an update prompt. iOS 18.x devices have no equivalent mechanism. Every fix, regardless of severity, arrives only in the next numbered point release.

Per Apple's own App Store transaction data from February 12, 2026, 24% of all active iPhones remain on iOS 18, with another 10% on even older versions. That is roughly a third of the active iPhone base operating without access to rapid out-of-band patching, dependent entirely on noticing, downloading, and installing numbered point releases to close newly discovered vulnerabilities.

iOS 26.3.1 received CVE-2026-20643, a WebKit Navigation API same-origin policy bypass, as a silent overnight Background Security Improvement on March 17, 2026; iOS 18.7.x users were not eligible for that delivery and waited for iOS 18.7.7 to carry the fix instead. That seven-day interval is the first publicly observable, concrete instance of the divergence between the two branches. The gap existed conceptually from the moment Background Security Improvements launched with iOS 26.1. The March 17 deployment made it measurable. As Apple uses the system more frequently, the trajectory the evidence points toward is a progressively wider window between the moment a WebKit fix reaches iOS 26 users and the moment the same fix reaches iOS 18 users, expanding in direct proportion to the cadence of Background Security Improvement deployments.

What to Do If You're on iOS 18

The practical action splits depending on which iOS 18 point release a user is currently running.

Users who installed iOS 18.7.3 or later already have the highest-severity confirmed-exploitation CVEs from this series closed. The DarkSword kernel and WebKit vulnerabilities are patched. iOS 18.7.7 adds 25 additional vulnerability closures, none yet carrying confirmed active exploitation records, but representing the attack surface that adversaries study when developing new tooling. Installing iOS 18.7.7 is the correct action regardless of current patch level.

Users still on iOS 18.6.2 or earlier carry unpatched exposure to vulnerabilities that an openly available exploit chain now covers. The DarkSword code leaked on GitHub before iOS 18.7.7 shipped; the barrier to deploying it has dropped from nation-state resourcing to basic web server access. Users on 18.6.x or earlier should treat iOS 18.7.7 as an urgent update, not routine maintenance.

For users whose hardware does support iOS 26, and who are running iOS 18 by choice rather than by hardware limitation, the Background Security Improvements gap provides a concrete operational reason to upgrade that goes beyond features. The device receives silent WebKit patches on iOS 26 that require active installation steps on iOS 18. Adoption figures reflect Apple's own App Store transaction data from February 12, 2026; methodology differences between sources may produce slightly different percentages, but the directional picture is consistent: roughly a third of active iPhones and iPads carry the iOS 18 exposure profile.

The watchOS updates carry no action urgency for security purposes. Installing watchOS 5.3.10 or 8.8.2 before January 2027 keeps iMessage and FaceTime functional on older Apple Watch hardware. That is the only consequence of delaying them.