More on this from CitizenLab, which says both iOS zero-days were part of a zero-click no-user-interaction exploit chain named BLASTPASS.

The exploit was used in the wild to install the NSO Group Pegasus spyware on the latest version of iOS (16.6).

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/