Apple's iOS 26, released on September 15, 2025, for iPhone 11 and later models including iPhone 15 and later, addresses a wide range of security vulnerabilities affecting multiple system components. The update includes fixes for 27 known vulnerabilities, enhancing the security and stability of the operating system.
Key vulnerabilities fixed in iOS 26 include issues in the Apple Neural Engine, AppleMobileFileIntegrity, audio processing, Safari, sandboxing, notes app, and WebKit process, among others. These vulnerabilities could potentially allow system crashes, unauthorized data access, app termination, memory corruption, sandbox escapes, and unauthorized access to sensitive data.
The Apple Neural Engine vulnerability (CVE-2025-43344) involved an out-of-bounds (OOB) access issue that could cause unexpected system termination. Apple fixed this by improving bounds checking to prevent crashes caused by malformed inputs.
The AppleMobileFileIntegrity component saw a permissions issue addressed (CVE-2025-43317), which could have allowed an app to access sensitive user data without proper authorization. The fix introduced additional restrictions to bolster data protection.
Several audio-related vulnerabilities were patched (CVE-2025-43346), including out-of-bounds access problems that could trigger app termination or corrupt process memory when handling maliciously crafted media files. Bounds checking improvements were implemented to mitigate these risks.
Safari-related vulnerabilities include issues like unexpected URL redirection from crafted content and use-after-free bugs in the WebKit process model (CVE-2025-31254 and CVE-2025-43368). These could lead to crashes or exploitation through malicious web content. The update strengthens Safari's resilience against such crafted content.
Sandbox security weaknesses (CVE-2025-43329) that could allow applications to escape their sandbox restrictions were fixed, enhancing the overall app sandboxing model to prevent escalations of privileges.
The Notes app addressed a vulnerability (CVE-2025-43203) where an attacker with physical access to a device could view locked images due to cache handling issues, which could compromise local security.
Other components such as CoreAudio and CoreMedia also received security updates to prevent memory corruption or app crashes when processing maliciously crafted files. Out-of-bounds access and permissions issues were fixed across various system services to better protect against unauthorized data access.
In addition, improvements were made to Bluetooth data redaction to prevent leakage of sensitive information, and the Text Input system was updated to prevent keyboard suggestions from revealing sensitive data on a locked screen. Siri was updated to ensure that Private Browsing tabs cannot be accessed without proper authentication, strengthening user privacy during voice interactions.
Call History functionality now includes improved redaction mechanisms to prevent fingerprinting by applications, and the Notes app was specifically updated to address security risks related to locked note content exposure.
The vulnerability fixes in iOS 26 provide a comprehensive tightening of security boundaries across many subsystems. The patches also extend protections against potential zero-day exploits lurking in media processing, web rendering, and system components crucial to device integrity and privacy.
Previously, Apple released urgent security updates such as iOS 18.6.2, which addressed a zero-day vulnerability related to Image/IO processing. This flaw could be exploited via maliciously crafted image files to trigger memory corruption and enable unauthorized code execution without user interaction. Apple explicitly warned users to update immediately due to active exploitation targeting individuals via spyware. This vulnerability underscored the importance of timely updates to prevent surveillance or unauthorized access to sensitive data on Apple devices.
Furthermore, Apple has extended similar security fixes compatible with iOS 26 to older operating system versions to protect a wider range of devices from known exploits, particularly those used by mercenary spyware targeting specific users. Updates were issued for macOS and earlier versions of iOS and iPadOS to cover 34 to 38 vulnerabilities, including the zero-day ImageIO exploit and other critical issues, demonstrating Apple's commitment to broad security coverage.
In summary, iOS 26 fixes critical vulnerabilities that could cause system crashes, memory corruption, unauthorized data access, sandbox escapes, and privacy leaks on iPhone 15 and later devices. The update strengthens bounds checking, permissions, sandboxing, and sanitization of web and media content to defend against both targeted and widespread attacks, enhancing overall device security and user privacy.
References:- Apple security update details iOS 26 fixing 27 vulnerabilities in various components including Apple Neural Engine, Sandbox, WebKit, Audio, and Notes (CVE-2025-43344, CVE-2025-43317, CVE-2025-43346).
- Prior critical zero-day fix in iOS 18.6.2 addressing ImageIO memory corruption exploited in targeted spyware attacks.
- Coverage of iOS 26 and concurrent security updates for older operating systems to protect from the same vulnerabilities.