Over 60 Critical Security Fixes Land in iOS 26.5
Apple’s iOS 26.5 update delivers a major round of iPhone security patches, resolving more than 60 documented vulnerabilities across core system components. The most serious flaws affect the kernel, WebKit (Safari’s browser engine), and App Intents, all prime targets in modern mobile attacks. Six kernel-level bugs were fixed, including CVE-2026-28951, which could allow a malicious app to gain root privileges, effectively taking full control of the device. Around a dozen WebKit issues were also patched, such as CVE-2026-28962, where simply interacting with crafted web content might expose sensitive information. Another bug, CVE-2026-28995 in App Intents, could enable a rogue app to escape its sandbox and reach data it should never see. Together, these iOS security fixes significantly harden the platform, closing off exploit chains that attackers commonly use to move from a web page or app into the heart of the operating system.
Who Needs the Update? Essentially Every iPhone Owner
The iOS 26.5 update is available for iPhone 11 and later, as well as recent iPad models from the 8th‑generation iPad and iPad mini 5th generation onward. However, older iPhones and iPads are not left behind. Apple has shipped matching iPhone security patches through parallel releases for previous iOS generations. Devices that cannot run iOS 26.5 instead receive iOS 18.7.9, iOS 16.7.16, or iOS 15.8.8 (and their iPadOS equivalents), carrying the same underlying security fixes. That coverage includes models such as iPhone XS, XR, iPhone 8, iPhone X, iPhone 7, iPhone 6s, and the first‑generation iPhone SE, along with multiple iPad and iPod touch generations. In practice, if your device still receives system updates at all, this round likely includes you. Apple’s wide rollout underscores the severity of the flaws and the company’s expectation that all supported users install the new protections promptly.
Why These Kernel and WebKit Flaws Are So Dangerous
The concentration of kernel, WebKit, and sandbox-escape vulnerabilities in iOS 26.5 reflects how real-world mobile attacks work. WebKit bugs let attackers trigger memory corruption or data leaks simply by luring users to malicious websites or injecting hostile content into otherwise legitimate pages. Kernel flaws, like CVE-2026-28951 and CVE-2026-28943, provide the opportunity to escalate those initial footholds into full system compromise with root privileges. Meanwhile, vulnerabilities such as CVE-2026-28995 in App Intents can help a malicious app bypass sandbox boundaries designed to keep apps isolated. Security researchers note that these categories are often chained together to silently install spyware, exfiltrate messages and photos, or track users. Although Apple says none of the newly patched issues are known to be actively exploited, the pattern and potential impact mean that leaving devices unpatched substantially increases the risk of future compromise.
Google and AI Researchers Flag High-Risk Vulnerabilities
The discovery credits for several iOS 26.5 vulnerabilities highlight just how high-profile these issues are. One kernel bug, tracked as CVE-2026-28943, was reported by Google’s Threat Analysis Group, a team that focuses on sophisticated, often state-backed attackers and high-risk users. Another WebKit flaw, CVE-2026-28942, was found by researchers at Anthropic working with its Claude AI system, showing that advanced AI tools are now being used to uncover critical weaknesses. Security experts stress that attackers also leverage AI to probe mobile platforms for exploitable bugs, making the race to patch even more urgent. This mix of human and AI-driven research on both offense and defense sides reinforces Apple’s recommendation that users install iOS 26.5 as soon as possible. Delaying leaves your device exposed to exactly the types of vulnerabilities that well-resourced threat actors prioritize.
How to Update Your iPhone and Why You Should Not Wait
Installing the iOS 26.5 update, or its equivalent for older devices, is straightforward and should be treated as a priority. First, back up your iPhone or iPad to iCloud or your preferred backup method. Then open Settings, go to General, and tap Software Update. Your device will display either iOS 26.5 or a version such as iOS 18.7.9, 16.7.16, or 15.8.8, depending on your model. Tap Download and Install, then follow the prompts; your device will restart to complete the process. These iPhone security patches arrive just weeks after previous emergency and feature updates, underlining how frequently new critical security vulnerabilities are discovered. Keeping current with iOS security fixes is one of the most effective ways to protect your data, messages, and online accounts from emerging threats. If you have multiple Apple devices, repeat the process on each to ensure consistent protection.