Apple DarkSword Buffer Overflow — Actively Exploited iOS/macOS Kernel Write

**What happened?**

Apple patched a nasty memory bug — a classic buffer overflow — that allowed a malicious app to crash your device or, worse, write directly into kernel memory (the most privileged part of the OS). On its own it sounds bad; in the real world, it's part of something much worse.

**The DarkSword connection**

Google's Threat Intelligence Group (GTIG) discovered that CVE-2025-43520 is one of six zero-days chained together in an exploit kit called **DarkSword**. Active since at least November 2025, DarkSword was used by multiple commercial surveillance vendors and suspected state-sponsored groups — including a Russian espionage cluster (UNC6353) — to fully take over iPhones with no user interaction beyond visiting a malicious website.

Targets were in Saudi Arabia, Turkey, Malaysia, and Ukraine. The end payloads were spyware families GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

**Who's at risk?**

Anyone running iOS 18.4–18.7, macOS Sonoma before 14.8.2, macOS Sequoia before 15.7.2, or older versions of watchOS/tvOS/visionOS.

**What should you do?**

Update now:

- iPhone/iPad → iOS 18.7.2 or iOS 26.1

- Mac → macOS Sonoma 14.8.2 or macOS Sequoia 15.7.2

- Apple Watch → watchOS 26.1

- Apple TV / Vision Pro → tvOS 26.1 / visionOS 26.1

If you can't update, Apple recommends enabling **Lockdown Mode** for high-risk individuals.