Over 60 Security Fixes in iOS 26.5
Apple’s latest iOS 26.5 security update delivers more than 60 security fixes, targeting some of the most sensitive parts of the operating system. Six kernel-level flaws were patched, including CVE-2026-28951, a bug that could allow a malicious app to gain root privileges—effectively taking full control of your device. Around a dozen WebKit issues were also resolved, such as CVE-2026-28962, where simply interacting with booby-trapped web content might expose sensitive data. Apple rarely issues broad, urgent guidance, but this release is accompanied by a clear warning for all iPhone users to update immediately. The patch set arrives just weeks after an emergency 26.4.2 fix and follows 37 earlier security patches in iOS 26.4, underscoring a rapidly evolving threat landscape. If you rely on your iPhone for work, messaging, or browsing, installing iOS 26.5 should be treated as a priority rather than a routine upgrade.
Key Vulnerabilities: Kernel, WebKit, and Sandbox Escapes
The most dangerous issues addressed in iOS 26.5 cluster around three attack surfaces: the kernel, WebKit, and app sandboxes. Kernel flaws such as CVE-2026-28951 and CVE-2026-28943 could enable attackers to escalate privileges and bypass core system protections. WebKit bugs, including CVE-2026-28962 and CVE-2026-28942, are particularly concerning because they can be triggered by visiting a malicious website or viewing crafted content inside apps that embed web views. Another notable fix, CVE-2026-28995 in App Intents, closed a sandbox escape where a rogue app might break out of its containment and interact with other data or processes. Security experts note that modern mobile attacks often chain these components: a WebKit exploit for initial access, a sandbox escape for lateral movement, and a kernel exploit for full compromise. iOS 26.5 cuts off all three steps, significantly raising the bar for attackers.
Who Found the Bugs—and Why That Matters
The attribution behind several of the iOS 26.5 fixes highlights the seriousness of these vulnerabilities. One kernel issue, CVE-2026-28943, was reported by Google’s Threat Analysis Group, a team that primarily tracks state-backed and high-risk targeted attacks. This suggests the flaw was interesting enough for advanced actors to potentially weaponize. On the WebKit side, CVE-2026-28942 was credited to Anthropic researchers using its Claude AI system, showing how artificial intelligence is now being deployed to uncover complex security defects. At the same time, attackers are also turning to AI to discover and exploit vulnerabilities faster. That arms race is exactly why Apple and security professionals are stressing rapid adoption of updates like iOS 26.5. Even though Apple says none of the patched vulnerabilities are yet known to be actively exploited, history shows that once bugs are disclosed and patched, exploit development often accelerates.
Which Devices Should Update—and Alternative Patches for Older Models
iOS 26.5 is available for iPhone 11 and later models, as well as compatible iPads from the 8th generation and iPad mini 5th generation onward. These devices receive the full suite of over 60 security fixes, including all kernel and WebKit patches. However, Apple has not left older hardware behind. For iPhone XS, XS Max, XR, and the 7th‑generation iPad, Apple has released iOS 18.7.9 and iPadOS 18.7.9 with the same critical security content. Even more legacy devices are covered via iPadOS 17.7.11, iOS 16.7.16, and iOS 15.8.8. These updates target iPhones as far back as the 6s and iPads as old as the Air 2 and 5th generation. Apple’s decision to patch so many generations underscores how many older iPhone and iPad models remain in everyday use and how vital it is to secure them against contemporary threats.
How to Update Safely and What to Expect
Before installing iOS 26.5 or the corresponding iPadOS and legacy iOS updates, back up your device using iCloud or your preferred method. Then open Settings, tap General, and select Software Update. Your iPhone or iPad will display the appropriate version—whether that’s iOS 26.5, 18.7.9, 17.7.11, 16.7.16, or 15.8.8—based on the model you’re using. Tap Download and Install, and allow time for the update and automatic restart to complete. Beyond the iPhone security patches, Apple has simultaneously shipped updates for macOS, watchOS, tvOS, and visionOS, suggesting a coordinated security push across its entire ecosystem. iOS 26.5 also folds in late-stage bug fixes discovered during the Release Candidate phase, improving stability in addition to closing vulnerabilities. Given the interplay of kernel, WebKit, and sandbox flaws addressed, delaying this update leaves you exposed to precisely the kind of multi-stage attacks modern adversaries favor.