| AppleがiPhoneやiPadなど向けiOS 18.7.7とiPadOS 18.7.7をリリース! |
Appleは24日(現地時間)、iPhoneおよびiPod touch向けプラットフォーム「iOS」とiPad向けプラットフォーム「iPadOS」において前バージョン「iOS 18」や「iPadOS 18」の最新版「iOS 18.7.7(22H333)」および「iPadOS 18.7.7(22H333)」を提供開始したとお知らせしています。
変更点はともに重要な脆弱性の修正が含まれているとされており、セキュリティーアップデートについてはCVEに登録されているKernel関連の「CVE-2026-28868」や「CVE-2026-28867」、「CVE-2026-20687」、ImageIO関連の「CVE-2025-64505」、WebKit関連の「CVE-2026-20665」や「CVE-2026-20643」、「CVE-2025-43376」、「CVE-2026-28871」、「CVE-2026-28861」、「CVE-2026-28859」などの25個の脆弱性が修正されているということです。
対象機種はiOS 18やiPadOS 18の対応機種となっており、すでにiPhoneについては最新のiOS 26に対応した製品についてはiOS 18.7.7へのソフトウェア更新を選べなくなっているため、iOS 26の対象機種ではないiPhone XSやiPhone XS Max、iPhone XR向けとなっているほか、iPadについてはiPadOS 26の対象外となるiPad(第7世代)のほか、iPadOS 26の対象機種のiPad(第8世代)以降やiPad mini(第5世代)以降、iPad Air(第3世代)以降、12.9インチiPad Pro(第3世代)以降、11インチiPad Pro(第1世代)以降となっています。
なお、すでに紹介しているように同社では合わせてiPhoneやiPadなど向けに最新の「iOS 26.4」および「iPadOS 26.4」を提供開始しているほか、パソコン「Mac」向け「macOS Tahoe 26.4」、スマートウォッチ「Apple Watch」向け「watchOS 26.4」、スマートテレビ「Apple TV」向け「tvOS 26.4」、スマートヘッドセット「Apple Vision」向け「visionOS 26.4」なども配信開始しています。
Appleでは2021年に提供開始したiOS 15およびiPadOS 15から一定期間は次の最新バージョンに更新せずに既存のバージョンに留まる機能を提供しており、2025年9月に最新のiOS 26やiPadOS 26の正式版が配信開始されましたが、引き続いてしばらくiOS 18やiPadOS 18で使う場合を対象にセキュリティー修正のみを行ったソフトウェア更新を提供しており、今回、新たにiOS 18.7およびiPadOS 18.7の最新バージョンとなるiOS 18.7.7およびiPadOS 18.7.7が提供開始されました。
iOS 18やiPadOS 18の対象機種の場合には「設定」→「情報」→「ソフトウェアアップデート」から行います。単体でアップデートする場合のダウンロードサイズは手持ちのiPhone XS MaxでiOS 18.7.6からの場合では425.9MBとなっています。更新は従来通りにiTunesをインストールしたWindowsおよびMacとUSB-Lightningケーブルで接続しても実施できます。Appleが案内しているアップデートの内容およびセキュリティー修正は以下の通り。なお、これまでのAppleの動きからすると、今後もしばらくはiOS 18やiPadOS 18へのセキュリティー修正が継続して提供されると思われます。
iOS 18.7.7
このアップデートには重要なセキュリティ修正が含まれ、すべてのユーザに推奨されます。
Appleソフトウェアアップデートのセキュリティコンテンツについては、以下のWebサイトをご覧ください: https://support.apple.com/100100
iPadOS 18.7.7
このアップデートには重要なセキュリティ修正が含まれ、すべてのユーザに推奨されます。
Appleソフトウェアアップデートのセキュリティコンテンツについては、以下のWebサイトをご覧ください: https://support.apple.com/100100
iOS 18.7.7 and iPadOS 18.7.7
Released March 24, 2026
- 802.1X
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker in a privileged network position may be able to intercept network traffic
Description: An authentication issue was addressed with improved state management.
CVE-2026-28865: Heloise Gollier and Mathy Vanhoef (KU Leuven)
- AppleKeyStore
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A use after free issue was addressed with improved memory management.
CVE-2026-20637: Johnny Franks (zeroxjf), an anonymous researcher
- Audio
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
CVE-2026-28879: Justin Cohen of Google
- Clipboard
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved validation of symlinks.
CVE-2026-28866: Cristian Dinca (icmd.tech)
- CoreMedia
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing an audio stream in a maliciously crafted media file may terminate the process
Description: An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2026-20690: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
- CoreUtils
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A user in a privileged network position may be able to cause a denial-of-service
Description: A null pointer dereference was addressed with improved input validation.
CVE-2026-28886: Etienne Charron (Renault) and Victoria Martini (Renault)
- Crash Reporter
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to enumerate a user's installed apps
Description: A privacy issue was addressed by removing sensitive data.
CVE-2026-28878: Zhongcheng Li from IES Red Team
- curl
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An issue existed in curl which may result in unintentionally sending sensitive information via an incorrect connection
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-14524
- DeviceLink
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2026-28876: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs
- Focus
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2026-20668: Kirin (@Pwnrin)
- iCloud
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to enumerate a user's installed apps
Description: A permissions issue was addressed with additional restrictions.
CVE-2026-28880: Zhongcheng Li from IES Red Team
- ImageIO
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-64505
- iTunes Store
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A user with physical access to an iOS device may be able to bypass Activation Lock
Description: A path handling issue was addressed with improved validation.
CVE-2025-43534: iG0x72 and JJ of XiguaSec, Lehan Dilusha Jayasinghe
- Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to disclose kernel memory
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28868: 이동하 (Lee Dong Ha of BoB 0xB6)
- Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to leak sensitive kernel state
Description: This issue was addressed with improved authentication.
CVE-2026-28867: Jian Lee (@speedyfriend433)
- Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2026-20687: Johnny Franks (@zeroxjf)
- mDNSResponder
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to leak sensitive kernel state
Description: This issue was addressed with improved authentication.
CVE-2026-28867: Jian Lee (@speedyfriend433)
- Security
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A local attacker may gain access to user's Keychain items
Description: This issue was addressed with improved permissions checking.
CVE-2026-28864: Alex Radocea
- UIFoundation
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause a denial-of-service
Description: A stack overflow was addressed with improved input validation.
CVE-2026-28852: Caspian Tarafdar
- Vision
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: The issue was addressed with improved memory handling.
CVE-2026-20657: Andrew Becker
- WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 304951
CVE-2026-20665: webb
- WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
WebKit Bugzilla: 306050
CVE-2026-20643: Thomas Espach
- WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to view leaked DNS queries with Private Relay turned on
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 295943
CVE-2025-43376: Mike Cardwell of grepular.com, Bob Lord
- WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A malicious website may be able to access script message handlers intended for other origins
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 307014
CVE-2026-28861: Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team
- WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: A logic issue was addressed with improved checks.
WebKit Bugzilla: 305859
CVE-2026-28871: @hamayanhamayan
記事執筆:memn0ck
■関連リンク
・エスマックス(S-MAX)
・エスマックス(S-MAX) smaxjp on Twitter
・S-MAX - Facebookページ
・iOS 17 関連記事一覧 - S-MAX
・iPadOS 17 関連記事一覧 - S-MAX
・iOS 18 のアップデートについて - Apple サポート (日本)
・iPadOS 18 のアップデートについて - Apple サポート (日本)
・iOS 18.7.7およびiPadOS 18.7.7のセキュリティコンテンツについて - Apple サポート (日本)
・Apple セキュリティアップデート - Apple サポート
