Apple rolls out iOS and macOS platform updates to fix serious security bugs that could be triggered simply by opening an image or video file.

Apple on Monday pushed out patches for security vulnerabilities across the macOS, iPhone and iPad software stack, warning that code-execution bugs that could be triggered simply by opening a rigged image, video or website.

The new iOS 18.5 update, rolled out alongside patches for iPadOS, covers critical bugs in AppleJPEG and CoreMedia with a major warning from Cupertino that attackers could craft malicious media files to run arbitrary code with the privileges of the targeted app.

The company also documented serious file-parsing vulnerabilities patched in CoreAudio, CoreGraphics, and ImageIO, each capable of crashing apps or leaking data if booby-trapped content is opened.

The iOS 18.5 update also provides cover for at least 9 documented WebKit flaws, some serious enough to lead to exploits that allow a hostile website to execute code or crash the Safari browser engine.

The company also patched a serious ‘mute-button’ flaw in FaceTime that exposes the audio conversation even after muting the microphone.

Beneath the interface, Apple said iOS 18.5 hardens the kernel against two memory-corruption issues and cleans up a libexpat flaw (CVE-2024-8176) that affects a broad range of software projects.

Other notable fixes include an issue in Baseband (CVE-2025-31214) that allows attackers in a privileged network position to intercept traffic on the new iPhone 16e line; a privilege escalation bug in mDNSResponder (CVE-2025-31222); an issue in Notes that expose data from a locked iPhone screen; and security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.