AppleがiPhoneやiPadなど向けiOS 18.7.9とiPadOS 18.7.9をリリース!
Appleは11日(現地時間)、iPhoneおよびiPod touch向けプラットフォーム「iOS」とiPad向けプラットフォーム「iPadOS」において前バージョン「iOS 18」や「iPadOS 18」の最新版「iOS 18.7.9(22H355)」および「iPadOS 18.7.9(22H355)」を提供開始したとお知らせしています。変更点はともに不具合および脆弱性の修正が含まれているとされており、セキュリティーアップデートについてはCVEに登録されているKernel関連の「CVE-2026-43654」などの47個の脆弱性が修正されているということです。
対象機種はiOS 18やiPadOS 18の対応機種となっており、すでにiPhoneについては最新のiOS 26に対応した製品についてはiOS 18.7.7へのソフトウェア更新を選べなくなっているため、iOS 26の対象機種ではないiPhone XSやiPhone XS Max、iPhone XR向けとなっているほか、iPadについてはiPadOS 26の対象外となるiPad(第7世代)のほか、iPadOS 26の対象機種のiPad(第8世代)以降やiPad mini(第5世代)以降、iPad Air(第3世代)以降、12.9インチiPad Pro(第3世代)以降、11インチiPad Pro(第1世代)以降となっています。
なお、すでに紹介しているように同社では合わせて最新の「iOS 26.5」および「iPadOS 26.5」のほか、より古いiPhoneやiPadなど向けに「iPadOS 17.7.11」や「iOS 16.7.16」および「iPadOS 16.7.17」、「iOS 15.8.8」および「iPadOS 15.8.8」、パソコン「Mac」向け「macOS Tahoe 26.5」、スマートウォッチ「Apple Watch」向け「watchOS 26.5」、スマートテレビ「Apple TV」向け「tvOS 26.5」、スマートヘッドセット「Apple Vision」向け「visionOS 26.5」なども配信開始しています。
Appleでは2021年に提供開始したiOS 15およびiPadOS 15から一定期間は次の最新バージョンに更新せずに既存のバージョンに留まる機能を提供しており、2025年9月に最新のiOS 26やiPadOS 26の正式版が配信開始されましたが、引き続いてしばらくiOS 18やiPadOS 18で使う場合を対象にセキュリティー修正のみを行ったソフトウェア更新を提供しており、今回、新たにiOS 18.7およびiPadOS 18.7の最新バージョンとなるiOS 18.7.9およびiPadOS 18.7.9が提供開始されました。
iOS 18やiPadOS 18の対象機種の場合には「設定」→「情報」→「ソフトウェアアップデート」から行います。単体でアップデートする場合のダウンロードサイズは手持ちのiPhone XS MaxでiOS 18.7.8からの場合では352.9MBとなっています。更新は従来通りにiTunesをインストールしたWindowsおよびMacとUSB-Lightningケーブルで接続しても実施できます。Appleが案内しているアップデートの内容およびセキュリティー修正は以下の通り。なお、これまでのAppleの動きからすると、今後もしばらくはiOS 18やiPadOS 18へのセキュリティー修正が継続して提供されると思われます。
iOS 18.7.9
このアップデートには、iPhone用のバグ修正とセキュリティアップデートが含まれています。Appleソフトウェアアップデートのセキュリティコンテンツについては、以下のWebサイトをご覧ください: https://support.apple.com/100100
iPadOS 18.7.9
このアップデートには、iPad用のバグ修正とセキュリティアップデートが含まれています。Appleソフトウェアアップデートのセキュリティコンテンツについては、以下のWebサイトをご覧ください: https://support.apple.com/100100
iOS 18.7.9 and iPadOS 18.7.9
Released May 11, 2026– Accounts
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: An authorization issue was addressed with improved state management.
CVE-2026-28877: Rosyna Keller of Totally Not Malicious Software– APFS
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28959: Dave G.– App Intents
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A malicious app may be able to break out of its sandbox
Description: A logic issue was addressed with improved restrictions.
CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society– Audio
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing an audio stream in a maliciously crafted media file may terminate the process
Description: The issue was addressed with improved memory handling.
CVE-2026-39869: David Ige of Beryllium Security– Calendar
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue was addressed with improved input validation.
CVE-2026-28872: Alvin Aries Tapia– Calling Framework
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause a denial-of-service
Description: A denial-of-service issue was addressed with improved input validation.
CVE-2026-28894: an anonymous researcher– CoreServices
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved checks.
CVE-2026-28936: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs– FileProvider
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: A race condition was addressed with additional validation.
CVE-2026-43659: Alex Radocea– GeoServices
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access sensitive user data
Description: An information leakage was addressed with additional validation.
CVE-2026-28870: XiguaSec– ImageIO
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to unexpected app termination
Description: The issue was addressed with improved bounds checks.
CVE-2026-28977: Suresh Sundaram– IOHIDFamily
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker may be able to cause unexpected app termination
Description: A memory corruption vulnerability was addressed with improved locking.
CVE-2026-28992: Johnny Franks (@zeroxjf)– IOHIDFamily
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to determine kernel memory layout
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28943: Google Threat Analysis Group– IOKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A maliciously crafted disk image may bypass Gatekeeper checks
Description: A file quarantine bypass was addressed with additional checks.
CVE-2026-28954: Yiğit Can YILMAZ (@yilmazcanyigit)– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: A buffer overflow was addressed with improved input validation.
CVE-2026-28897: Robert Tran, popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Aswin kumar Gokulakannan– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: An integer overflow was addressed with improved input validation.
CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to gain root privileges
Description: An authorization issue was addressed with improved state management.
CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to cause unexpected system termination
Description: A race condition was addressed with additional validation.
CVE-2026-28986: Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io), Chris Betz– Kernel
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to leak sensitive kernel state
Description: A logging issue was addressed with improved data redaction.
CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)– LaunchServices
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause a denial of service
Description: A type confusion issue was addressed with improved checks.
CVE-2026-28983: Ruslan Dautov– libxpc
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to enumerate a user’s installed apps
Description: This issue was addressed with improved checks.
CVE-2026-28882: Ilya Andr (andrd3v), Ilias Morad (A2nkF) of Voynich Group, Duy Trần (@khanhduytran0), @hugeBlack– Mail Drafts
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Replying to an email could display remote images in Mail in Lockdown Mode
Description: A logic issue was addressed with improved checks.
CVE-2026-28929: Yiğit Can YILMAZ (@yilmazcanyigit)– mDNSResponder
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: The issue was addressed with improved memory handling.
CVE-2026-43653: Atul R V– mDNSResponder
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory
Description: A use after free issue was addressed with improved memory management.
CVE-2026-43668: Ricardo Prado, Anton Pakhunov– mDNSResponder
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker on the local network may be able to cause a denial-of-service
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-43666: Ian van der Wurff (ian.nl)– Model I/O
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted image may corrupt process memory
Description: The issue was addressed with improved memory handling.
CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative– Model I/O
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents
Description: The issue was addressed with improved checks.
CVE-2026-28941: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative– Networking
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker may be able to track users through their IP address
Description: This issue was addressed through improved state management.
CVE-2026-28906: Ilya Sc. Jowell A.– Privacy
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to circumvent App Privacy Report logging
Description: This issue was addressed with additional entitlement checks.
CVE-2026-28873: Guy Dor– Quick Look
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Parsing a maliciously crafted file may lead to an unexpected app termination
Description: An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-43656: Peter Malone– SceneKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: A remote attacker may be able to cause unexpected app termination
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2026-28846: Peter Malone– Shortcuts
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by adding an additional prompt for user consent.
CVE-2026-28993: Doron Assness– Siri
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to elevate privileges
Description: A logic issue was addressed with improved checks.– Status Bar
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to capture a user’s screen
Description: An issue with app access to camera metadata was addressed with improved logic.
CVE-2026-28957: Adriatik Raci– WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 308675
CVE-2026-28907: Cantina– WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A validation issue was addressed with improved logic.
WebKit Bugzilla: 308906
CVE-2026-43660: Cantina– WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308707
CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Daniel Rhea, Anonymous working with TrendAI Zero Day Initiative
WebKit Bugzilla: 309601
CVE-2026-28904: Luka Rački
WebKit Bugzilla: 310303
CVE-2026-28903: Mateusz Krzywicki (iVerify.io)
WebKit Bugzilla: 310880
CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative
WebKit Bugzilla: 309628
CVE-2026-28953: Maher Azzouzi– WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: This issue was addressed with improved access restrictions.
WebKit Bugzilla: 309698
CVE-2026-28962: Vitaly Simonovich, Vaagn Vardanian, Luke Francis, kwak kiyong / kakaogames, greenbynox, Adel Bouachraoui– WebKit
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 310527
CVE-2026-28917: Vitaly Simonovich– Wi-Fi
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-28819: Wang Yu– Wi-Fi
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets
Description: A use after free issue was addressed with improved memory management.
CVE-2026-28994: Alex Radocea– zlib
Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: An information leakage was addressed with additional validation.
CVE-2026-28920: Brendon Tiszka of Google Project Zero
■関連リンク
・エスマックス(S-MAX)
・エスマックス(S-MAX) smaxjp on Twitter
・S-MAX – Facebookページ
・iOS 17 関連記事一覧 – S-MAX
・iPadOS 17 関連記事一覧 – S-MAX
・iOS 18 のアップデートについて – Apple サポート (日本)
・iPadOS 18 のアップデートについて – Apple サポート (日本)
・iOS 18.7.9およびiPadOS 18.7.9のセキュリティコンテンツについて – Apple サポート (日本)
・Apple セキュリティアップデート – Apple サポート
コメント