iOS, macOS 26.4 Roll Out With Fresh Security Patches
Apple releases iOS 26.4, macOS 26.4, and related updates patching 80+ vulnerabilities.
Summary
Apple released security updates across its product lineup on Tuesday, patching over 80 vulnerabilities in iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, and related OS versions for older devices. The patches address critical flaws in WebKit, kernel components, and third-party dependencies including Apache libraries, Curl, and LibPNG that could enable sandbox escapes, privilege escalation, memory corruption, and sensitive data access. Apple reported no evidence of these vulnerabilities being actively exploited in the wild.
Full text
Apple on Tuesday rolled out a fresh wave of security updates to resolve more than 80 vulnerabilities across its mobile and desktop operating systems. iOS 26.4 and iPadOS 26.4 were released for the latest generation iPhone and iPad devices with patches for nearly 40 security defects. WebKit received fixes for eight bugs that could be exploited by malicious websites to bypass policy enforcement, mount XSS attacks, fingerprint users, escape the sandbox, or crash the process. Issues addressed in the kernel could be exploited to disclose kernel memory, leak sensitive kernel state, corrupt kernel memory, or write kernel memory. Vulnerabilities resolved in other components may lead to network traffic interception, access to biometrics-gated Protected Apps, process crashes, app termination, denial-of-service (DoS), installed apps enumeration, sandbox escape, and access to sensitive information. Patches for roughly two dozen of these security defects were delivered to users of older devices as part of the iOS 18.7.7 and iPadOS 18.7.7 security updates.Advertisement. Scroll to continue reading. On Tuesday, Apple also rolled out macOS Tahoe 26.4 with fixes for over 75 bugs, including roughly 30 flaws that were addressed with the iOS 26.4 and iPadOS 26.4 updates. The patches target issues in dozens of native components, but also vulnerabilities in third-party open source dependencies, including multiple Apache libraries, Curl, and LibPNG. Additionally, Apple released macOS Sequoia 15.7.5 and macOS Sonoma 14.8.5 with patches for over 50 of these vulnerabilities each. While tvOS 26.4 and watchOS 26.4 were rolled out with fixes for over a dozen vulnerabilities each, visionOS 26.4 is bringing patches for nearly 30 bugs to its users. On Tuesday, Apple also announced the release of Safari 26.4 with fixes for the eight WebKit bugs. Xcode 26.4 was rolled out with patches for two flaws. Apple makes no mention of any of these security defects being exploited in the wild. Additional information on the updates can be found on the company’s security advisories page. Related: Apple Debuts Background Security Improvements With Fresh WebKit Patches Related: Apple Updates Legacy iOS Versions to Patch Coruna Exploits Related: Apple iPhone and iPad Cleared for Classified NATO Use Related: Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’ Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Extortion Group Claims It Hacked AstraZenecaChrome 146 Update Patches High-Severity Vulnerabilities3.1 Million Impacted by QualDerm Data BreachCritical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms WarnMazda Says Employee, Partner Information Stolen in CyberattackChip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain AttackQNAP Patches Four Vulnerabilities Exploited at Pwn2Own Latest News Russian Cybercriminal Gets 2-Year Prison Sentence in US AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest LinkFCC Bans New Routers Made Outside the US Over National Security RisksRSAC 2026 Conference Announcements Summary (Day 2)From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPIUS Prisons Russian Access Broker for Aiding Ransomware AttacksHackerOne Employee Data Exposed in Massive Navia BreachDoE Publishes 5-Year Energy Security Plan Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveThe US Senate confirmed Markwayne Mullin as DHS Secretary.7AI has appointed Israel Barak as its first Chief Information Security Officer.Brian Harrell has been appointed Chief Security Officer at FirstEnergy.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email