Back to Feed
VulnerabilitiesJun 30, 2026

Apple Patches 30+ iOS, macOS, Safari Flaws, Including AI-Discovered WebKit Bugs

Apple patches over 30 iOS, macOS, and Safari flaws, including AI-discovered WebKit bugs.

Summary

Apple has released security updates for its operating systems and Safari browser, addressing more than thirty vulnerabilities. Notably, four of these flaws were found in WebKit using AI tools like Anthropic Claude and OpenAI Codex Security. Apple is accelerating its update releases due to concerns that AI could speed up exploit development.

Full text

Apple Patches 30+ iOS, macOS, Safari Flaws, Including AI-Discovered WebKit Bugs Ravie LakshmananJun 30, 2026Artificial Intelligence / Vulnerability Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence (AI) tools like Anthropic Claude and OpenAI Codex Security. The WebKit vulnerabilities are listed below - CVE-2026-43707 - A memory corruption issue that could result in an unexpected process crash when processing maliciously crafted web content. It was addressed with improved memory handling. CVE-2026-43716 - An unspecified issue that could result in an unexpected Safari crash when processing maliciously crafted web content. It was addressed with improved memory handling. CVE-2026-43745 - An out-of-bounds write issue that could result in an unexpected Safari crash when processing maliciously crafted web content. It was addressed with improved input validation. CVE-2026-43715 - A use-after-free issue that could result in memory corruption when processing maliciously crafted web content. It was addressed with improved memory management. The first three security defects have been credited by Apple to OpenAI Codex Security, while Anthropic researchers Milad Nasr and Nicholas Carlini, along with Claude, have been acknowledged for CVE-2026-43715. The four vulnerabilities are part of nearly 30 vulnerabilities that have been patched in WebKit, an open-source web browser engine developed by Apple. Others include a use-after-free issue in WebKit Canvas (CVE-2026-43720) and a vulnerability that could be exploited by a malicious website to process restricted web content outside the sandbox (CVE-2026-43725). Apple has also remediated three bugs that could be exploited by a malicious app to leak sensitive kernel state (CVE-2026-43722), cause unexpected system termination or write kernel memory (CVE-2026-43724), or corrupt kernel memory (CVE-2026-39868). Security researcher Hyunwoo Kim, who discovered Dirty Frag, has been credited with discovering and reporting CVE-2026-43724 and CVE-2026-43722. The updates are available for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2. None of the patched vulnerabilities has been disclosed as actively exploited in the wild. In a statement shared with Reuters, Apple said it's making the security updates much earlier than before in response to concerns that AI tools could accelerate the development of exploits and act as an enabler of cyber warfare, shrinking the window between discovery and weaponization to hours. The company said "it was adapting to ​the reality that, given the ability of artificial intelligence ​to speed the development of malicious hacking tools, it ⁠needed to reduce the time between when updates were first ​made public and when they were put into customers' hands," Reuters reported. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Apple, artificial intelligence, cybersecurity, iOS, MacOS, Memory Corruption, Safari Browser, WebKit ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

  • cve — CVE-2026-43707
  • cve — CVE-2026-43716
  • cve — CVE-2026-43745
  • cve — CVE-2026-43715
  • cve — CVE-2026-43720
  • cve — CVE-2026-43725
  • cve — CVE-2026-43722
  • cve — CVE-2026-43724
  • cve — CVE-2026-39868

Entities

iOS (product)macOS (product)Safari (product)WebKit (technology)Anthropic Claude (product)OpenAI Codex Security (product)