iOS 26.5.2 is here: Security update for everyone

Apple has released three minor maintenance updates focused entirely on security. iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 don't introduce any new features, but they do patch security vulnerabilities and should be installed promptly. This is one of the last updates before the next major generation arrives this fall.

Apple today released iOS 26.5.2 and iPadOS 26.5.2 for iPhone and iPad, along with macOS Tahoe 26.5.2 for Mac. All three are minor updates to the systems launched last year and share identical release notes: the focus is solely on security fixes. This update follows iOS 26.5.1, released about a month ago, which addressed a charging issue on the iPhone Air and iPhone 17 series – this time, however, the focus is on all compatible devices.

What's included in the updates

The updates themselves are deliberately minimal in terms of content. According to Apple's official release notes, they provide security fixes for iPhone, iPad, and Mac; no new features are included. For details, Apple refers users to its central security page. Apple has since released the initially unpublished list of vulnerabilities addressed – and it is considerably more extensive than the brief release notes suggest.

Since Apple's release notes don't typically list every single change, it's possible that minor bug fixes are included alongside the security fixes. However, at its core, it remains a maintenance update – and that's precisely the purpose of a point update ending in .2.

Which gaps do the updates close?

The subsequently released documentation lists 37 individual vulnerabilities, each with its own CVE number. Remarkably, iPhone, iPad, and Mac receive exactly the same set of fixes: the security content of iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 is identical.

By far the largest portion of the fixes concerns WebKit, the browser engine behind Safari: 26 of the 37 entries relate to WebKit, including its Canvas and Storage components. In addition, there are four fixes for WebRTC, two each for the libxslt library, and one for web extensions – including web-related components. More system-level fixes include three kernel fixes and one for the IOGPUFamily graphics driver.

The vulnerabilities most revolve around manipulated web content that could lead to crashes, memory corruption, or the leakage of sensitive data during processing; several would have allowed attackers to read data across website boundaries or escape the sandbox. A vivid example is a vulnerability in WebKit memory that would have allowed a specially crafted website to silently steal content from the clipboard. The kernel fixes, in turn, prevented apps from triggering unexpected system crashes or manipulating kernel memory.

Apple makes no mention of any prior active exploitation for any of the vulnerabilities – so the update is not an urgent emergency. However, since the technical details are now public, prompt installation is still recommended. Also noteworthy is the growing role of AI-powered security research: several of the reported vulnerabilities originate from teams that use AI models to specifically search for flaws, including researchers from Anthropic, OpenAI, and Nvidia. The Safari security update in the spring already documented the first concrete result of this collaboration.

Here's how to download the updates

On iPhone and iPad, the update can be installed via Settings under "General" and then "Software Update." On a Mac, it's accessed via System Preferences under "Software Update." Since this update contains security-related fixes, prompt installation is recommended - however, if you prefer, you can wait a day or two after a major release to avoid the initial wave of updates.

Positioning within Apple's update cycle

Between major system releases, Apple regularly releases point updates ending in .1 or .2. These updates don't introduce new features but instead fix bugs, improve stability, and close security vulnerabilities discovered after the main release. iOS 26.5.2 fits seamlessly into this pattern and is correspondingly unremarkable. The underlying iOS 26 launched in September with new features like RCS encryption – since then, Apple has primarily maintained the series through these maintenance updates.

iOS 26 is entering its final phase

With iOS 26.5.2, the current generation is nearing its end. Apple is already testing iOS 26.6, which so far shows only minimal visible changes – meaning at least one more update is expected before autumn. However, the main focus is clearly on iOS 27, which Apple has already made available to developers; a public beta is expected in July, with the final release in autumn. Until then, updates like this one ensure that the running system remains secure and stable in the background. (Image: Apfelpatient)