Apple patches Coruna WebKit exploit

Apple released iOS 15.8.7 (support.apple.com) and iOS 16.7.15 (support.apple.com) on March 11, 2026 to backport fixes for Coruna-linked flaws to legacy hardware. iOS 15.8.7 targets iPhone 6s, iPhone 7, iPhone SE (1st gen), iPad Air 2, iPad mini 4 and iPod touch (7th gen) (support.apple.com), while iOS 16.7.15 covers iPhone 8, iPhone 8 Plus, iPhone X, iPad (5th generation), iPad Pro 9.7‑inch and iPad Pro 12.9‑inch (1st gen) (support.apple.com). The updates backport fixes for CVE‑2023‑41974 (a kernel use‑after‑free that could allow arbitrary code with kernel privileges) (support.apple.com), CVE‑2024‑23222 (a WebKit type‑confusion issue) (support.apple.com), CVE‑2023‑43000 (a WebKit use‑after‑free) (support.apple.com) and CVE‑2023‑43010 (a WebKit memory‑corruption flaw) (support.apple.com). Google’s Threat Intelligence Group reported Coruna as a toolkit containing 23 exploits across five full iOS exploit chains targeting devices running iOS 13.0 through 17.2.1. (cloud.google.com) GTIG says parts of an exploit chain were first observed in February 2025 during a surveillance‑vendor investigation (cloud.google.com), and public technical disclosures about the framework were coordinated between March 3–5, 2026 by GTIG and independent researchers. (labs.cloudsecurityalliance.org) GTIG’s analysis traces Coruna’s operational history from a surveillance‑vendor customer to campaigns attributed to UNC6353 and later to financially motivated group UNC6691, and several reports tie subsequent Coruna use to crypto‑theft and mass abuse. (cloud.google.com) Apple’s security notes list Félix Poulin‑Bélanger as the reporter for CVE‑2023‑41974 (support.apple.com) and the advisories do not publish operational indicators of compromise in the public bulletin, according to coverage of the release. (cyberwarzone.com)