The latest Apple Security Update brings fixes for more than 30 security vulnerabilities in iOS 26.5.2 and iPadOS 26.5.2, addressing flaws across the kernel, WebKit, WebRTC, libxslt, and IOGPUFamily. Released on June 29, Apple said the update includes security fixes that were previously introduced in the iOS 26.6 and iPadOS 26.6 beta releases, strengthening protections for supported iPhone and iPad devices.
The update is available for iPhone 11 and later, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).
Apple Security Update Addresses Kernel and System-Level Vulnerabilities
Among the most significant Apple security fixes are several kernel vulnerabilities that could allow an application to trigger unexpected system termination, write to kernel memory, leak sensitive kernel state, or corrupt kernel memory.
Apple said these issues were resolved through improved input sanitization and input validation. The patched vulnerabilities include CVE-2026-43724, CVE-2026-43722, and CVE-2026-39868.
The update also resolves a flaw in IOGPUFamily (CVE-2026-43743) that could allow an application to cause an unexpected system termination. Apple addressed the issue through improved state handling.
Apple Security Update Delivers Extensive WebKit Protections
A large portion of the update focuses on WebKit vulnerabilities, the browser engine that powers Safari and other Apple applications.
According to Apple’s advisory, the fixes address multiple security issues that could allow malicious web content to disclose sensitive user information, trigger unexpected crashes, corrupt memory, bypass browser restrictions, or enable cross-origin data exfiltration.
The advisory also patches vulnerabilities that could allow malicious websites to process restricted web content outside the browser sandbox, disclose process memory, or leak sensitive information through permissions-related issues.
Apple said the flaws were addressed through improved memory management, input validation, bounds checking, and stronger security origin tracking.
Safari, WebRTC and Other Components Receive Security Fixes
Beyond WebKit, the Apple Security Update includes fixes for vulnerabilities affecting Safari security, WebRTC, libxslt, Web Extensions, WebKit Canvas, and WebKit Storage.
According to Apple:
- Two libxslt vulnerabilities could cause unexpected process crashes when processing maliciously crafted web content.
- A Web Extensions vulnerability could allow a malicious extension to trigger an unexpected process crash.
- A WebKit Storage vulnerability could enable a malicious website to silently hijack clipboard data.
- Multiple WebRTC vulnerabilities could lead to Safari crashes or unexpected process termination after processing malicious web content.
Apple Credits Researchers for Reporting CVEs
Apple acknowledged dozens of security researchers and organizations that reported the patched CVE vulnerabilities, including researchers from Positive Technologies, STAR Labs SG, DEVCORE Research Team, Talence Security, Calif.io, NVIDIA AI Red Team, Braze Security Team, Anthropic, OpenAI Codex Security, ThreatBook, and Baidu Security, among others.
The company reiterated that it does not publicly disclose or discuss security issues until investigations have been completed and software updates have been released to customers. Apple also noted that its security advisories reference CVE identifiers whenever possible.
The latest Apple Security Update delivers broad protections across core operating system components, reinforcing Apple’s ongoing efforts to address security vulnerabilities affecting supported iPhone and iPad devices through regular software updates.
