Apple on Monday released iOS 26.5 with a warning for all users to install the update immediately, fixing more than 60 security vulnerabilities spanning the Kernel, WebKit, and App Intents frameworks.
Six Kernel-level flaws were patched, including CVE-2026-28951, which could allow an app to gain root privileges. Around a dozen WebKit bugs were also addressed, among them CVE-2026-28962, where interacting with malicious web content could expose sensitive user information.
Another issue, CVE-2026-28995 in App Intents, could let a malicious app escape its sandbox. The concentration of Kernel memory issues, WebKit vulnerabilities, and the App Intents sandbox escape "reflects the types of components commonly chained together in modern mobile attacks," said Adam Boynton, senior enterprise strategy manager at Jamf. While none of the vulnerabilities are reported as actively exploited, the attribution of specific flaws reveals the threat market.
One Kernel vulnerability, CVE-2026-28943, was credited to Google's Threat Analysis Group, which focuses on state-backed threats and high-risk users. A separate WebKit flaw, CVE-2026-28942, was credited to Anthropic researchers working with its Claude AI system. The involvement of AI tools on both sides of the equation, Anthropic's Claude identifying bugs that need patching while adversaries also use AI for attacks, makes updating quickly especially important.
IOS 26.5 is available for iPhone 11 and later, along with compatible iPad models from the 8th generation and iPad mini 5th generation onward. For older devices, Apple released iOS 18.7.9 and iPadOS 18.7.9, available only for iPhone XS, iPhone XS Max, iPhone XR, and iPad 7th generation. The update arrives roughly two weeks after the iOS 26.4.2 emergency fix for a notifications bug, and six weeks after iOS 26.4, which contained 37 security patches. Apple also released iPadOS 17.7.11, iOS 16.7.16, and iOS 15.8.8 to patch the same notifications flaw on older hardware.
