NEWS
Apple’s iOS 26.5.2 Patches 29 Vulnerabilities, Most in WebKit
Apple’s iOS 26.5.2 patches 29 security vulnerabilities, with most fixes targeting WebKit across Safari and in-app browsers on iPhone and iPad. No zero-days.
Apple pushed iOS 26.5.2 and iPadOS 26.5.2 to supported iPhones and iPads on Monday, June 29, 2026, a security-only release that closes 29 vulnerabilities. Apple’s own release notes capture the update in a single sentence: ‘This update provides security fixes for your iPhone.’ Most of the 29 fixes land in WebKit, the engine behind Safari and in-app browsers across third-party iOS apps.
None of the patched flaws were confirmed to have been actively exploited before the update shipped, per Apple’s CVE-by-CVE advisory for iOS 26.5.2. The compatibility list runs from iPhone 11 and later, plus iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later. Apple shipped macOS Tahoe 26.5.2 and Safari 26.5.2 alongside iOS 26.5.2, putting the same fix set in front of Mac users on the same day.
What the 29 Patches Actually Cover
Apple’s full archive of security releases breaks the fix list down one CVE at a time rather than rolling them into broader categories. WebKit carries the heaviest load, with 19 of the 29 entries in the count by Thurrott and over 15 according to AppleInsider’s coverage. Other components hit include the kernel, WebRTC, Web Extensions, the IOGPUFamily graphics stack, and libxslt for XML processing. macOS Tahoe 26.5.2 and Safari 26.5.2 ship the same fixes to Mac users on the same day. There are no user-facing features in the update, matching the typical one-line official release notes.
| Component | What it addresses | Sample CVE | Researcher credit |
|---|---|---|---|
| WebKit (use-after-free) | Malicious web extension could trigger an unexpected process crash | CVE-2026-43704 (Bugzilla 314642) | dr3dd |
| WebKit (cross-origin) | Malicious sites could read data across origins | CVE-2026-43700 (Bugzilla 315368) | Vitaly Simonovich and Christian Meurer Xavier |
| WebKit (double free) | Malicious web content could trigger an unexpected process crash | CVE-2026-43706 | Tristan Madani, Talence Security |
| WebKit (memory handling) | Malicious web content could trigger an unexpected process crash | CVE-2026-43703 | Tristan Madani, Talence Security |
| Kernel | App could leak sensitive kernel state | CVE-2026-43722 | Feng Xue and XGPT of ThreatBook, Hyunwoo Kim |
| Kernel | App could terminate the system or write kernel memory | CVE-2026-43724 | Hyunwoo Kim (@v4bel) |
| Kernel | App could terminate the system or corrupt kernel memory | CVE-2026-39868 | Vladislav Shevchenko (Positive Technologies), Ye Zhang (Baidu Security), Billy Jheng Bing Jhong and Pan Zhenpeng (STAR Labs SG) |
On the WebKit side, CVE-2026-43704 (credited to dr3dd via WebKit Bugzilla 314642) closed a use-after-free bug capable of letting a malicious web extension trigger an unexpected process crash. CVE-2026-43700 (Vitaly Simonovich and Christian Meurer Xavier) addressed a cross-origin issue that could let malicious sites read data across origins, fixed by improved tracking of security origins. CVE-2026-43706 and CVE-2026-43703 (both Tristan Madani at Talence Security) closed a double-free flaw and a memory-handling issue, both capable of crashing Safari on malicious web content. All four WebKit CVEs were addressed through Apple’s standard memory-management improvements.
On the kernel side, CVE-2026-43722 (Feng Xue and XGPT of ThreatBook, Hyunwoo Kim) closed a sensitive kernel-state leak. CVE-2026-43724 (Hyunwoo Kim) addressed a flaw that could let an app terminate the system or write kernel memory. CVE-2026-39868, credited to Vladislav Shevchenko of Positive Technologies, Ye Zhang of Baidu Security, Billy Jheng Bing Jhong, and Pan Zhenpeng of STAR Labs SG, addressed a kernel memory corruption flaw.
macOS users get the same fixes through macOS Tahoe 26.5.2, with macOS Sonoma and macOS Sequoia users receiving Safari 26.5.2 only, per Apple’s security releases list. The iOS 26.5.2 list also backports fixes Apple initially tested in the iOS 26.6 beta cycle.

Why WebKit Carries the Bulk of the Update
WebKit sits behind every browser on iOS and iPadOS, including third-party browsers like Chrome and Firefox, because Apple’s App Store policies require all browsers on those devices to use Apple’s engine. The EU’s Digital Markets Act did open the door to alternative engines, though, per Thurrott’s coverage, no major iOS browser has yet taken advantage. That makes WebKit the surface area for nearly every in-app browser on iOS, not just for Safari itself.
Two of the WebKit fixes, per security write-ups, allowed maliciously crafted web content to disclose sensitive user information. A WebKit Storage bug had let malicious websites silently hijack clipboard data, addressed in iOS 26.5.2 through tighter state management. Resolved WebRTC and WebKit issues had been able to trigger Safari crashes and memory corruption. WebKit also shipped an enhanced-check fix to stop malicious websites from processing restricted web content outside the sandbox. The 19 WebKit entries in this release map to the same engine any iOS in-app browser uses to render web pages, a reach that puts the patch in the install-today category. Browser security is following the same pattern across vendors, with Google’s recent Chrome 144 stable-channel release shipping a similar weight of fixes, per a related Chrome 144 browser-engine patch write-up on this site.
Apple Is Now Racing AI-Assisted Bug Hunters
Apple told Reuters on Monday it was adapting to the reality that artificial intelligence is speeding up the development of malicious hacking tools. The company said it needed to reduce the time between when updates are first made public and when they are put into customers’ hands. The shift has been described in coverage as ‘compressing’ Apple’s response window to disclosed flaws. Security researchers say the rationale is real, and accelerating.
With recent AI advances, we are seeing vulnerability finding times dramatically reduce, which makes patching that much more difficult… Waiting for large updates to cover smaller known vulnerabilities over a long period of time might be a thing of the past now with such tools that even more rapidly search for any possible exploits.
Jake Moore, global cybersecurity advisor at ESET, framed the shift in comments to Forbes, linking Apple’s move to a broader pattern in which attackers identify weaknesses faster than traditional release windows permit. Stuff’s reporting on the release adds that Apple is making a point of shipping security fixes it would have previously bundled into the soon-to-be-released iOS 27. The compression shrinks the time attackers have to turn a disclosed flaw into a working exploit.
That posture carries trade-offs. Pulling patches forward into smaller drops means more frequent updates for users, plus more chances to install before an exploit arrives. iOS 26.5.2 dropped roughly a month after iOS 26.5.1, with both the iOS 26.6 beta running in parallel and iOS 27 beta seeding into developer hands. iOS 26.5.2 does not fix any vulnerability that was used in a targeted attack, per AppleInsider Forums’ breakdown, which keeps the urgency dial down a notch relative to a zero-day drop. Even so, the public disclosure of those flaws is now a starting point for attackers crafting exploits against unpatched devices.
Looking Past iOS 26.5.2
The update lands as a routine maintenance drop, not an emergency out-of-band patch. None of the 29 patched vulnerabilities were confirmed as actively exploited in the wild before the update shipped. The AppleInsider Forums breakdown puts the point more sharply, saying iOS 26.5.2 carries no fixes for vulnerabilities used in targeted attacks. Apple’s own security releases page withholds disclosure until investigations and patches are ready, so exploitation status is unknown or unconfirmed when each advisory lands.
iOS 26.6 beta 3 (build 23G5052d) shipped to developers on June 29, the same day as iOS 26.5.2, with public release expected in July per Macworld. The current beta cycle is expected to bring bug fixes, refinements, and at least one anti-theft feature, per Thurrott. iOS 27 is in the developer beta pipeline, with public beta expected in July and full release this fall; readers tracking what new features iOS 27 will carry beyond the security track can read about what AutoMix and other iOS 27 features add.
Five Taps to Install iOS 26.5.2
Installing iOS 26.5.2 is a five-tap process for most users. Devices with Automatic Updates turned on will pick up the release during the standard rollout window over the next few days. Users who want it now can trigger the install manually from Settings, as MacDailyNews and Apple’s own instructions both outline. MacDailyNews recommends backing up the device first and ensuring at least 50 percent battery or a plugged-in charger.
- Connect the iPhone or iPad to Wi-Fi.
- Confirm battery is at or above 50 percent, or plug the device in.
- Open the Settings app.
- Tap General, then tap Software Update.
- Tap Download and Install when iOS 26.5.2 appears, then follow the on-screen instructions.
The same flow applies to iPadOS 26.5.2 on supported iPads: iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later. iPhones and iPads left off the iOS 26.5.2 compatibility list are receiving parallel security updates through iOS 18.7.9, iPadOS 18.7.9, iPadOS 17.7.11, iOS 16.7.16, and iOS 15.8.8. The advice across the spectrum of write-ups, from MacDailyNews to AppleInsider Forums, is to update now.
For Mac users, macOS Tahoe 26.5.2 brings the equivalent fixes on June 29 as well. Macs on macOS Sonoma or macOS Sequoia receive Safari 26.5.2 only, while older macOS branches receive their own Apple-supplied security updates. Apple’s security releases list names every supported version in detail. The takeaway from across the day is that the same 29-fix backbone now covers Apple’s three consumer OS families, with older hardware running parallel tracks on iOS 18, iPadOS 18, and earlier.
Frequently Asked Questions
What does iOS 26.5.2 fix?
iOS 26.5.2 closes 29 security vulnerabilities disclosed by Apple on June 29, 2026. The fixes span WebKit, the kernel, WebRTC, Web Extensions, IOGPUFamily graphics, and the libxslt XML library.
Were any iOS 26.5.2 flaws actively exploited?
Apple’s own advisory makes no claim that any of the 29 vulnerabilities were exploited before the patch shipped. AppleInsider Forums’ coverage says iOS 26.5.2 carries no fixes for vulnerabilities used in targeted attacks.
Why does WebKit take so much of iOS 26.5.2?
WebKit is the rendering engine for Safari and, on iOS and iPadOS, every other browser in the App Store. A bug there cascades across third-party apps that load web content. Of the 29 fixes, 19 land in WebKit, per Thurrott.
Is my iPhone eligible for iOS 26.5.2?
iPhone 11 and later. Earlier iPhones on iOS 18 receive parallel iOS 18.7.x security updates through Apple’s older-device patch track.
What comes after iOS 26.5.2?
iOS 26.6 is in beta, with public release expected in July. iOS 27 is in the developer beta pipeline, with public beta expected in July and full release this fall.
-
FINANCE4 weeks agoZcash Patched a Double-Spend Bug as ZEC Climbed 5%
-
ENTERTAINMENT4 weeks agoSteam Summer Sale 2026 Locks In June 25 to July 9 Dates
-
NEWS2 months agoMeta Adds AI Replies to Threads, But Users Can’t Block It
-
ENTERTAINMENT1 month ago‘Widow’s Bay’ Review: Apple TV’s Sleeper Horror-Comedy Earns Its Fog
-
ENTERTAINMENT4 weeks agoAmazon Scraps Its Stargate Revival After a 20-Week Writers Room
-
FINANCE4 weeks agoCitigroup Says ETF Outflows Drove Bitcoin’s Crash, Not Strategy’s Sale
-
FINANCE4 weeks agoCLARITY Act Floor Vote Likely Shifts to August, Lummis Says
-
FINANCE4 weeks agoCoinbase Invests in Ethena, ENA Jumps 10% on Open-Market Buy
