Apple on Monday announced the release of major iOS and macOS platform updates with fixes for a total of more than 50 vulnerabilities.
iOS 26 and iPadOS 26 were released for the latest generation iPhone and iPad devices with fixes for 27 unique CVEs that could lead to memory corruption, information disclosure, crashes, and sandbox escapes.
WebKit received the largest number of fixes, at five, for security defects that could lead to process crashes, Safari crashes, or could allow websites to access sensor information without consent.
The iOS update also fixes vulnerabilities in Apple Neural Engine, Bluetooth, CoreAudio, CoreMedia, Kernel, Safari, Sandbox, Siri, System, and a dozen other components.
Apple released macOS Tahoe 26 with patches for 38 unique CVEs, including 11 that were resolved in iOS 26 and iPadOS 26 as well.
The most affected components include WebKit, which received fixes for five bugs, AppleMobileFileIntegrity and SharedFileList with patches for four issues each, and Bluetooth and Sandbox with fixes for three flaws each.
Other components that received patches include AppKit, AppSandbox, ATS, CoreMedia, CoreServices, FaceTime, Foundation, GPU Driver, ImageIO, Notification Center, RemoteViewServices, Security Initialization, Spotlight, and StorageKit.
On Monday, Apple also released iOS 18.7 and iPadOS 18.7 with fixes for 12 security defects, and rolled out iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5 with patches for CVE-2025-43300, an ImageIO flaw exploited in attacks targeting WhatsApp users. Apple released the first patches for the vulnerability on August 20.
The Cupertino tech company delivered hefty sets of patches for macOS Sequoia 15.7 and macOS Sonoma 14.8, and released tvOS 26, watchOS 26, and visionOS 26 with patches for nearly two dozen vulnerabilities each.
Safari 26 was rolled out with fixes for seven security defects, while Xcode 26 arrived with patches for five bugs.
Aside from CVE-2025-43300, Apple makes no mention of any of the resolved vulnerabilities being exploited in the wild. Additional information can be found on the company’s security releases page.
Related: Samsung Patches Zero-Day Exploited Against Android Users
Related: Payment System Vendor Took Year+ to Patch Infinite Card Top-Up Hack: Security Firm
Related: Critical Chrome Vulnerability Earns Researcher $43,000
Related: Highly Popular NPM Packages Poisoned in New Supply Chain Attack
