Update Your IPhone Now to Fix These 29 Security Vulnerabilities.

While the tech world’s attention is currently focused on iOS 27 , Apple continues to release updates for iOS 26. While it’s unlikely we’ll get another feature release in the “26” era, there will always be bugs and security vulnerabilities that need to be fixed when Apple or third-party researchers discover them. A case in pointis Monday’s release of iOS 26.5.2 , which includes fixes for 29 security vulnerabilities.

First, the good news: none of these vulnerabilities appear to be zero-days. A zero-day is a security vulnerability that is publicly disclosed or actively exploited before the software developer has time to release a patch. They are particularly dangerous because they give hackers an advantage: they can try to find an exploit—or worse, exploit that exploit—until the developer releases an update and their users install it. Fortunately, none of these vulnerabilities appear to be critical, meaning the situation isn’t critical. Still, any unpatched security vulnerability is concerning, and now that they’ve been disclosed, it’s only a matter of time before someone figures out how to exploit them. Therefore, it’s important to install iOS 26.5.2 as soon as possible.

Here’s what iOS 26.5.2 fixes.

According to Apple’s official security update release notes, iOS 26.5.2 (and iPadOS 26.5.2) fixes 29 security vulnerabilities. Many of these relate to how WebKit, Apple’s rendering engine used in Safari, secures user data. You’ll find some vulnerabilities that could leak sensitive data if a user processes malicious web content (such as clicking a fraudulent link), as well as one that could leak sensitive data simply by visiting a website, even if that site isn’t necessarily malicious. Another patch addresses a vulnerability that allows malicious websites to process data outside the “sandbox,” or protected element where Apple stores websites to prevent them from penetrating protected parts of iOS, and yet another fixes a vulnerability that could steal clipboard data without your knowledge.

Below you’ll find a list of 29 patches, along with their descriptions, a description of the fix, and the CVE (Common Vulnerabilities and Exposures) number used to track them. We’d like to emphasize once again that none of these vulnerabilities have known active exploits.

1. IOGPUFamily : An application could cause an unexpected system termination. A race condition was addressed through improved state handling. CVE-2026-43743: Liutong, Dong

2. Kernel : An application could cause an unexpected system termination or write to kernel memory. This issue was addressed through improved input validation. CVE-2026-43724:

3. Kernel : An application could leak sensitive kernel state information. This issue was addressed through improved input validation. CVE-2026-43722.

4. Kernel : An application could cause an unexpected system termination or kernel memory corruption. This issue was addressed through improved input validation. CVE-2026-39868.

5. libxslt : Processing specially crafted malicious web content may cause an unexpected process crash. A double-free issue was addressed through improved memory management. CVE-2026-43706.

6. libxslt : Processing specially crafted malicious web content could lead to an unexpected process crash. This issue was addressed through improved memory handling. CVE-2026-43703.

7. Web Extensions : A malicious web extension could cause an unexpected process crash. A use-after-free issue was addressed through improved memory management. CVE-2026-43704.

8. WebKit : Processing specially crafted malicious web content may lead to the disclosure of sensitive user information. Addressed a cross-domain access issue through improved security origin tracking. CVE-2026-43700.

9. WebKit : A malicious website may be able to pass data from another origin. This issue was addressed through improved validation. CVE-2026-43735.

10. WebKit : Processing specially crafted malicious web content may cause an unexpected process crash. A use-after-free issue was addressed through improved memory management. CVE-2026-43734/CVE-2026-43726/CVE-2026-43709/CVE-2026-43699/CVE-2026-43742.

11. WebKit : Processing specially crafted malicious web content may lead to the disclosure of sensitive user information. Addressed a path handling issue through improved validation. CVE-2026-43732.

12. WebKit : Processing specially crafted malicious web content may lead to memory corruption. A use-after-free issue was addressed through improved memory management. CVE-2026-43731/CVE-2026-43715.

13. WebKit : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. A use-after-free issue was addressed through improved memory management. CVE-2026-43727.

14. WebKit : A malicious website may be able to process restricted web content outside of the sandbox. This issue was addressed through improved input validation. CVE-2026-43725.

15. WebKit : Processing specially crafted malicious web content may cause the process to crash unexpectedly. This issue was addressed through improved memory handling. CVE-2026-43663/CVE-2026-39872/CVE-2026-43712.

16. WebKit : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. This issue was addressed through improved memory handling. CVE-2026-43716.

17. WebKit : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. An out-of-bounds access issue was addressed through improved bounds checking. CVE-2026-43676.

18. WebKit : Processing specially crafted malicious web content may lead to process memory disclosure. This issue was addressed through improved memory handling. CVE-2026-43740.

19. WebKit : Visiting a website may lead to sensitive data leakage. Addressed permissions issue with additional restrictions. CVE-2026-43713.

20. WebKit : A malicious website may be able to pass data from another origin. This issue was addressed through improved input validation. CVE-2026-43708.

21. WebKit : Processing specially crafted malicious web content may cause the process to crash unexpectedly. A memory corruption issue was addressed through improved memory handling. CVE-2026-43707.

22. WebKit : Processing specially crafted malicious web content can lead to memory corruption. A type mismatch issue was addressed through improved validation. CVE-2026-43705.

23. WebKit : A malicious website could process restricted web content outside the sandbox. This issue was addressed through improved checks. CVE-2026-43701.

24. WebKit : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. An out-of-bounds write issue was addressed through improved input validation. CVE-2026-43745.

25. WebKit Canvas : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. A use-after-free issue is addressed through improved memory management. CVE-2026-43720.

26. WebKit Storage : A malicious website could silently intercept clipboard data. This issue was addressed through improved state management. CVE-2026-43721.

27. WebRTC : Processing specially crafted malicious web content may cause the process to crash unexpectedly. An out-of-bounds access issue was addressed through improved bounds checking. CVE-2026-28979.

28. WebRTC : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. Addressed a stack overflow issue with improved input validation. CVE-2026-43718.

29. WebRTC : Processing specially crafted malicious web content may cause Safari to crash unexpectedly. A use-after-free issue was addressed through improved memory management. CVE-2026-43717/CVE-2026-43746.

How to update iOS to version 26.5.2

Installing this security update is similar to installing any other iOS update. If you have automatic updates enabled, the OS should update automatically at the scheduled time. However, you can initiate the process manually by going to General > Software Update and following the on-screen instructions.

More…