Behind the new features of iOS 26.5 lies a second, less visible package: Apple has closed more than 50 documented security vulnerabilities in the iPhone system with this update. The range of issues extends from the kernel and image processing to app sandbox breaches – making the update attractive even for users who have little use for the new features.
With the release of iOS 26.5, Apple published a comprehensive list of security fixes alongside new features such as RCS encryption and redesigned wallpapers. As is typical with Apple updates, the list was only released after the rollout – Apple generally only discloses details about vulnerabilities once patches are available. The now-published list shows that the update involved significantly more technical work than the version number might suggest.
More than 50 vulnerabilities in one update
Apple's security notes for iOS 26.5 list over 50 individual vulnerabilities, each with its own CVE number. Every vulnerability is specifically documented: which component was affected, what the consequences of an attack could have been, and what fixes the flaw. The sheer number is remarkable for a point update and indicates that Apple not only rolled out features with iOS 26.5 but also simultaneously hardened large parts of the system.
Apple itself refers to its central overview page for security releases, where all current patch notes are continuously updated. Anyone wishing to look up individual CVE entries will find them there in full.
Which areas were affected
The list covers key system components. Several vulnerabilities in the kernel, the lowest layer of the operating system, have been fixed. These vulnerabilities could have allowed attackers to read memory contents or disrupt the system state in certain scenarios. In the ImageIO image processing framework, Apple has closed several buffer overflow issues that could be triggered by manipulated image files. AppleJPEG, CoreAnimation, and the audio subsystem also had vulnerabilities where specially crafted media files could crash processes or corrupt memory.
Additionally, fixes were implemented in the area of App Intents, which could have allowed a malicious app to escape its sandbox, as well as in the Accounts and FileProvider components, where apps could potentially access sensitive user data. A vulnerability was even reported in the IOHIDFamily area that would have allowed the reading of kernel memory allocation – a classic starting point for more complex attack chains.
What the increase in fixes means
Fifty vulnerabilities in a single update sounds like a lot, but in the Apple ecosystem, it's not a cause for alarm. Point releases typically bundle fixes gathered since the last update - some from internal audits, some from the Apple Security Bounty Program, and some from tips from external researchers. These patches are therefore less a reaction to acute waves of attacks and more a planned maintenance package. We've explained in detail how Apple organizes these patch cycles and why regular security updates are important for every iPhone in our Apple Security Updates Guide.
Nevertheless, the frequency of these incidents demonstrates how broad the attack surface of modern smartphone operating systems has become. From the audio codec to the sandbox logic – each layer has its own security requirements, and Apple has to maintain them all simultaneously.
Reference to state attackers
Several CVE entries come from researchers named by Apple – including one attributed to Google's Threat Analysis Group. This group specializes in state-sponsored and commercial spyware operations. When vulnerability information originates from this group, it typically points to mechanisms relevant to targeted attacks against individuals. Apple itself usually indicates in its security notes when a vulnerability has been actively exploited – the now-published entries document who reported which vulnerability.
For most users, this level of detail is irrelevant. However, it indicates that the updates not only address convenience bugs but also close vulnerabilities that play a role in professional attack scenarios.
Updates also for older systems
Alongside iOS 26.5, Apple has released security updates for older operating system versions – including iOS 18.7.9, iPadOS 17.7.11, iOS 16.7.16, and iOS 15.8.8, as well as corresponding versions for macOS Sequoia and Sonoma. With the exception of iOS 18.7.9, these releases each contain only a single security fix: the patch that addressed a vulnerability in deleted notifications, already included in iOS 26.4.2, and is now being delivered for older devices as well.
This means that users whose devices will not receive the upgrade to iOS 26 will also benefit from the security patch. This approach is a deliberate policy of Apple to roll out critical fixes to older branches as well.
Install update now
Anyone who hasn't yet installed iOS 26.5 should do so as soon as possible – even if the new features aren't their main focus. You can start the download directly via Settings > General > Software Update. The installation works on all currently supported iPhones (iPhone 11 and later) as well as on iPads supported during the update period.
For users with special security needs – such as people who are frequently targeted by attackers due to their profession – rapid installation is a key protective factor. In such situations, Apple's updates are often the most important line of defense.
Security fixes as an underestimated reason for updates
The sheer number of vulnerabilities patched in iOS 26.5 makes it clear that security updates are not a side issue of a release, but its backbone. Anyone eagerly awaiting new features should take the patching aspect of an update at least as seriously – especially since Apple only discloses the details of vulnerabilities after the rollout, and the list then reveals just how much has changed beneath the surface. (Image: Shutterstock / 1st footage)
Never miss an article again: Apfelpatient offers free push notifications as a web app – directly to your home screen, without an app store. All setup information is available here.
- RCS messages are encrypted: Apple launches beta in iOS 26.5
- iOS 26.5 is here: An overview of all the new features
- WhatsApp Plus launches on iPhone: What the subscription offers
- The Studio wins BAFTA 2026 and becomes the most awarded series of the year
- Apple TV honors British television with BAFTA TV Brunch in London
- Apple and Intel agree on chip manufacturing deal
- Nintendo raises prices for Switch 2 worldwide
- Wedbush raises Apple price target to $400 – biggest jump in years
- EU debate: VPN services come under scrutiny
- Apple warns of backdoor law in Canada
- Tim Cook on Trump's China trip – how the Apple CEO is using his last months
- Perplexity launches new Mac app with Personal Computer for all Pro users
- Filmed on iPhone: Four Indian short films showcase the potential of the iPhone 17 Pro Max
- Anthropic adds three new features to Claude Managed Agents
- Apple TV announces documentary series about the UConn Huskies
- Apple links its India strategy with climate goals
- Apple TV gives the green light to "Disavowed": New thriller series starring James Marsden
- Apple secures 48 percent of global smartphone sales
- Supreme Court rejects Apple's emergency motion: Epic case goes back to the lower court
- Disney+ is becoming a super app: Streaming is just the beginning
