Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari
Apple releases security updates for iOS, macOS, and Safari, patching dozens of vulnerabilities.
Summary
Apple has issued critical security updates for iOS, iPadOS, macOS, and Safari, addressing a total of 37 vulnerabilities. A significant portion of these fixes, 26 in total, target the WebKit component, which could allow attackers to exfiltrate data, leak sensitive information, or crash applications via malicious websites. The updates also include fixes for kernel, WebRTC, and Web Extensions, with at least four vulnerabilities reportedly identified using AI.
Full text
Apple announced security updates this week for iOS, iPadOS, macOS Tahoe, and Safari that resolve dozens of vulnerabilities, including 26 security defects in WebKit. iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 were rolled out with 37 security fixes across IOGPUFamily, kernel, libxslt, Web Extensions, WebKit, and WebRTC. The 26 WebKit bugs (including two in WebKit Canvas and WebKit Storage) could be exploited via malicious websites to exfiltrate data, leak sensitive information, crash Safari, corrupt memory, disclose process memory, hijack clipboard data, and process restricted web content outside the sandbox. The 11 flaws affecting other operating system components could lead to system crashes, kernel memory writes, kernel state disclosure, kernel memory corruption, process crashes, and Safari crashes. Per Apple’s advisories, at least four of these security defects appear to have been identified using AI. They were reported to Apple by Anthropic and OpenAI Codex Security researchers. On Monday, Apple also announced the release of Safari 26.5.2 with patches for 31 vulnerabilities in Web Extensions, WebKit, WebKit Canvas, WebKit Storage, and WebRTC.Advertisement. Scroll to continue reading. The Safari update brings these security fixes to macOS Sonoma and macOS Sequoia users, after they were first made available to the users of macOS Tahoe 26.6 beta. The company makes no mention of any of these security defects being exploited in the wild, but threat actors are known to have weaponized bugs in Apple products shortly after disclosure. Users are advised to update their devices as soon as possible, especially since most of the resolved issues affect WebKit and could be triggered when visiting a malicious website. Additional information can be found on Apple’s security updates page. Related: New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones Related: In Other News: Apple Patches Beats Eavesdropping Flaw, DOT Closes Delta CrowdStrike Probe, AWS Continuum Related: Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention Related: Apple Patches Dozens of Vulnerabilities in macOS, iOS Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Exploitation of Recent Oracle E-Business Suite Vulnerability BeginsCritical SimpleHelp Vulnerability Exploited for Malware DeliveryQuantifind Raises $200 Million for AI-Native Risk IntelligenceResearchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer MachinesStraiker Raises $64 Million for AI Security Platform‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks EvolveChinese Framework Powers 200,000 Scam Sites Latest News Frontier AI: Six Questions Every Enterprise Should Ask Security VendorsDawnguard Raises $6.3 Million for Security Architecture Automation PlatformMassive Password Spray Campaign Targeting Azure CLIGoogle Patches 382 Chrome VulnerabilitiesBlueHammer Vulnerability Exploited in Ransomware AttacksDecades-Old Bash Tricks Expose AI Coding Agents to Supply Chain AttacksAflac Japan Data Breach Impacts 4.38 MillionHacker Conversations: Chris Thompson, Former Head of IBM X-Force Red, Co-Founder of RemoteThreat Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveTracey Mustacchio has joined Everfox as Chief Marketing Officer.Mark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.More People On The MoveExpert Insights Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) Flipboard Reddit Whatsapp Whatsapp Email