Urgent Apple Update: Crucial Defense Against DarkSword Exploit Threat

Apple has taken a significant and rare step, expanding the availability of iOS 18.7.7 and iPadOS 18.7.7 to a wider array of devices. This critical move, initiated on April 1, 2026, pushes vital backported security patches to millions of users still operating on iOS 18. These users previously remained exposed to DarkSword, a highly sophisticated, web-delivered exploit chain capable of silently stealing vast amounts of sensitive user data.

Understanding the DarkSword Exploit

The DarkSword exploit is a fully weaponized iOS exploit kit. It was first identified in active campaigns as early as November 2025 by leading security researchers, including Google’s Threat Intelligence Group (GTIG), iVerify, and Lookout. This formidable toolkit specifically targets devices running iOS 18.4 through 18.7.

It leverages a devastating chain of six distinct vulnerabilities, including critical bugs in JavaScriptCore, dyld, and the iOS sandbox. This allows the exploit to achieve full kernel-level code execution with zero user interaction—all it takes is a single visit to a malicious website. Once deployed, DarkSword acts with alarming speed, exfiltrating passwords, messages, browser history, location data, cryptocurrency wallet contents, and even Apple Health data within seconds, meticulously wiping its own traces afterward.

The severity of the threat dramatically escalated in March 2026 when the DarkSword toolkit was publicly leaked on GitHub. This leak significantly lowered the barrier for less sophisticated threat actors to weaponize it. Prior to the leak, multiple commercial surveillance vendors and suspected state-sponsored actors had already deployed DarkSword against high-value targets in regions such as Saudi Arabia, Turkey, Malaysia, and Ukraine.

Apple’s Crucial Update for DarkSword Exploit

iOS 18.7.7 was initially released on March 24, 2026. However, recognizing the widespread danger posed by DarkSword, Apple extended its availability to a broader device pool on April 1, 2026, explicitly citing the pervasive nature of the DarkSword threat. This represents an unusual policy shift for Apple, which has traditionally mandated users upgrade to the latest major iOS release to receive essential security fixes.

The company confirmed that the underlying DarkSword patches were originally shipped in 2025 but are now being backported to protect the approximately 20% of users still on iOS 18, who were otherwise vulnerable to this potent exploit.

Key Vulnerabilities Patched in iOS 18.7.7:

802.1X (CVE-2026-28865): An authentication flaw allowing privileged network attackers to intercept traffic, fixed via improved state management. Discovered by Héloïse Gollier and Mathy Vanhoef of KU Leuven.
Kernel (CVE-2026-20687): A use-after-free bug enabling apps to cause unexpected system termination or write to kernel memory. Reported by Johnny Franks (@zeroxjf).
Kernel (CVE-2026-28867 / CVE-2026-28868): Two separate flaws leaking sensitive kernel state and kernel memory. Discovered by Jian Lee (@speedyfriend433) and Lee Dong Ha of BoB 0xB6.
Security Framework (CVE-2026-28864): A permissions flaw granting local attackers access to Keychain items. Reported by Alex Radocea.
WebKit (CVE-2026-28861, CVE-2026-20643, CVE-2026-20665, CVE-2026-28871): Multiple browser-engine bugs enabling cross-site scripting, Same Origin Policy bypass, Content Security Policy evasion, and cross-origin script handler access via maliciously crafted web content.
AppleKeyStore (CVE-2026-20637): A use-after-free flaw enabling unexpected system termination.
CoreMedia (CVE-2026-20690): An out-of-bounds access bug triggered by malicious audio streams in media files. Found by Hossein Lotfi of Trend Micro Zero Day Initiative.
iTunes Store (CVE-2025-43534): A path handling flaw allowing physical-access bypass of Activation Lock.
curl (CVE-2025-14524): An open-source vulnerability causing unintended transmission of sensitive data over incorrect connections.

Who Is Affected and What to Do

The iOS 18.7.7 update applies to a broad spectrum of devices, encompassing iPhone XR through iPhone 16e, and a wide range of iPad models, from the 5th-generation iPad mini to the iPad Pro M4. Users who have enabled Automatic Updates will receive iOS 18.7.7 without manual intervention, ensuring they are protected against the DarkSword exploit.

Apple has also confirmed that its robust Lockdown Mode feature provides effective protection against DarkSword for high-risk users who require enhanced hardening against sophisticated digital threats.

For the most comprehensive long-term protection, Apple strongly continues to recommend upgrading to iOS 26.3 or later. These latest major releases fully address all vulnerabilities related to the DarkSword exploit and offer the most up-to-date security safeguards.