Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@mttaggart Nothing explicit, but reading between the lines…
iOS 26 has been fixed. iOS 18 for devices that can’t run iOS 26 has been fixed. And those who can run iOS 26 but don’t want to? [Conspicuous silence.]
@gknauss I think the thing is to move to 18.7.3, which is patched.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.
I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
@gknauss @mttaggart Try opting into the iOS 18 public beta from the software update settings. It should offer 18.7.3 as an update, and being on that beta branch will prevent iOS 26 from appearing as well.
I did this when 18.7.3 came out since it wasn’t offered as “normal” update, just a final release on the beta branch. 18.7.4 on do seem to be exclusive to older devices though.
@misty I had this set, to avoid an accidental 26 upgrade. It’s saying 18.6.2 is the latest. Developer Beta says the same thing.
Alas, alas.
@misty I’m on a 15 Pro. I’m seeing my Mom on Thursday and will check her SE 3.
Computers were a mistake.
Greg Knauss
Taggart
Misty