Update Your iPhone Now to Patch These 29 Security Flaws

While the tech world’s collective attention is currently fixed on iOS 27, Apple is still churning out updates to iOS 26. While we’re not likely to get another feature-filled release in the “26” era, there will always be bugs and security flaws to squash whenever Apple or third-party researchers discover them. Case in point: On Monday, Apple dropped iOS 26.5.2, which comes with fixes for 29 security vulnerabilities.

First, the good news: None of these vulnerabilities appears to be a “zero-day.” A zero-day is a security flaw that is publicly disclosed or actively exploited before the software developer has a chance to issue a patch. They’re especially dangerous, since it gives hackers the advantage: They can attempt to find an exploit—or, worse, take advantage of that exploit—for as long as it takes the developer to issue an update, and for its user base to install it. Luckily, none of these flaws appear to qualify, meaning this isn’t a mission critical situation. Still, any unpatched security flaw is concerning, and now that these are disclosed, it’s only a matter of time before someone figures out how to exploit them. As such, it’s important to install iOS 26.5.2 as soon as possible.

Here’s what iOS 26.5.2 patches

According to Apple’s official security release notes, iOS 26.5.2 (and iPadOS 26.5.2) patches 29 security flaws. Many of the flaws have to do with how WebKit, Apple’s engine that powers Safari, secures user data. You’ll see some flaws that could expose sensitive data if the user processes malicious web content (e.g., if you click a fraudulent link), as well as one vulnerability that could leak sensitive data just by visiting a website, even if that site isn’t necessarily malicious. Another patch handles a flaw that would let malicious websites process data outside of the “sandbox,” or the secure element that Apple keeps websites in so they don’t venture into secure parts of iOS, while another patches a flaw that could steal clipboard data without your knowledge.

You’ll find all 29 patches listed below, along with a description, the fix, and the CVE (Common Vulnerabilities and Exposures) number used to track them. Again, none of these flaws has a known active exploit.

1. IOGPUFamily: An app may be able to cause unexpected system termination. A race condition was addressed with improved state handling. CVE-2026-43743: Lyutoon, Dun

2. Kernel: An app may be able to cause unexpected system termination or write kernel memory. The issue was addressed with improved input sanitization. CVE-2026-43724:

3. Kernel: An app may be able to leak sensitive kernel state. The issue was addressed with improved input sanitization. CVE-2026-43722.

4. Kernel: An app may be able to cause unexpected system termination or corrupt kernel memory. This issue was addressed with improved input validation. CVE-2026-39868.

5. libxslt: Processing maliciously crafted web content may lead to an unexpected process crash. A double free issue was addressed with improved memory management. CVE-2026-43706.

6. libxslt: Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-43703.

7. Web Extensions: A malicious web extension may be able to cause an unexpected process crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43704.

8. WebKit: Processing maliciously crafted web content may disclose sensitive user information. A cross-origin issue was addressed with improved tracking of security origins. CVE-2026-43700.

9. WebKit: A malicious website may exfiltrate data cross-origin. The issue was addressed with improved checks. CVE-2026-43735.

10. WebKit: Processing maliciously crafted web content may lead to an unexpected process crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43734/CVE-2026-43726/CVE-2026-43709/CVE-2026-43699/CVE-2026-43742.

11. WebKit: Processing maliciously crafted web content may disclose sensitive user information. A path handling issue was addressed with improved validation. CVE-2026-43732.

12. WebKit: Processing maliciously crafted web content may lead to memory corruption. A use-after-free issue was addressed with improved memory management. CVE-2026-43731/CVE-2026-43715.

13. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43727.

14. WebKit: A malicious website may be able to process restricted web content outside the sandbox. The issue was addressed with improved input validation. CVE-2026-43725.

15. WebKit: Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-43663/CVE-2026-39872/CVE-2026-43712.

16. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. The issue was addressed with improved memory handling. CVE-2026-43716.

17. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. An out-of-bounds access issue was addressed with improved bounds checking. CVE-2026-43676.

18. WebKit: Processing maliciously crafted web content may result in the disclosure of process memory. The issue was addressed with improved memory handling. CVE-2026-43740.

19. WebKit: Visiting a website may leak sensitive data. A permissions issue was addressed with additional restrictions. CVE-2026-43713.

20. WebKit: A malicious website may exfiltrate data cross-origin. The issue was addressed with improved input validation. CVE-2026-43708.

21. WebKit: Processing maliciously crafted web content may lead to an unexpected process crash. A memory corruption issue was addressed with improved memory handling. CVE-2026-43707.

22. WebKit: Processing maliciously crafted web content may lead to memory corruption. A type confusion issue was addressed with improved checks. CVE-2026-43705.

23. WebKit: A malicious website may be able to process restricted web content outside the sandbox. The issue was addressed with improved checks. CVE-2026-43701.

24. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. An out-of-bounds write issue was addressed with improved input validation. CVE-2026-43745.

25. WebKit Canvas: Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43720.

26. WebKit Storage: A malicious website may be able to silently hijack clipboard data. This issue was addressed through improved state management. CVE-2026-43721.

27. WebRTC: Processing maliciously crafted web content may lead to an unexpected process crash. An out-of-bounds access issue was addressed with improved bounds checking. CVE-2026-28979.

28. WebRTC: Processing maliciously crafted web content may lead to an unexpected Safari crash. A stack overflow was addressed with improved input validation. CVE-2026-43718.

29. WebRTC: Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43717/CVE-2026-43746.

How to update to iOS 26.5.2

Installing this security patch is the same as any other iOS update. If you have Automatic Updates enabled, the OS should update on its own in due time. However, you can manually kick-start the process by heading to General > Software Update and following the on-screen instructions.