.inline-media-container.loading { background: none; } .inline-media-container.loading::after, .inline-media-container.loading-empty::after { display: none; content: none; } .inline-media-container.loading video { display: block !important; }

About the security content of iOS 26.5 and iPadOS 26.5

This document describes the security content of iOS 26.5 and iPadOS 26.5.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

iOS 26.5 and iPadOS 26.5

Released May 11, 2026

Accelerate

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause a denial-of-service

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2026-28991: Seiji Sakurai (@HeapSmasher)

Accounts

Impact: An app may be able to bypass certain Privacy preferences

Description: A permissions issue was addressed with additional restrictions.

CVE-2026-28988: Asaf Cohen

APFS

Impact: An app may be able to cause unexpected system termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28959: Dave G.

App Intents

Impact: A malicious app may be able to break out of its sandbox

Description: A logic issue was addressed with improved restrictions.

CVE-2026-28995: Vamshi Paili, Tony Gorez (@tonygo_) for Reverse Society

AppleJPEG

Impact: Processing a maliciously crafted image may lead to a denial-of-service

Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

CVE-2026-1837

AppleJPEG

Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory

Description: A memory corruption issue was addressed with improved input validation.

CVE-2026-28956: impost0r (ret2plt)

Audio

Impact: Processing an audio stream in a maliciously crafted media file may terminate the process

Description: The issue was addressed with improved memory handling.

CVE-2026-39869: David Ige of Beryllium Security

CoreAnimation

Impact: An app may be able to access sensitive user data

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2026-28964: Alan Wang, Christopher W. Fletcher, Hovav Shacham, David Kohlbrenner, Riccardo Paccagnella

CoreServices

Impact: Processing a maliciously crafted file may lead to unexpected app termination

Description: The issue was addressed with improved checks.

CVE-2026-28936: Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs

CoreSymbolication

Impact: Parsing a maliciously crafted file may lead to an unexpected app termination

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2026-28918: Niels Hofmans, Anonymous working with TrendAI Zero Day Initiative

FileProvider

Impact: An app may be able to access sensitive user data

Description: A race condition was addressed with additional validation.

CVE-2026-43659: Alex Radocea

ImageIO

Impact: Processing a maliciously crafted image may corrupt process memory

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2026-43661: an anonymous researcher

ImageIO

Impact: Processing a maliciously crafted file may lead to unexpected app termination

Description: The issue was addressed with improved bounds checks.

CVE-2026-28977: Suresh Sundaram

ImageIO

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-28990: Jiri Ha, Arni Hardarson

IOHIDFamily

Impact: An attacker may be able to cause unexpected app termination

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2026-28992: Johnny Franks (@zeroxjf)

IOHIDFamily

Impact: An app may be able to determine kernel memory layout

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28943: Google Threat Analysis Group

IOKit

Impact: An app may be able to cause unexpected system termination

Description: A use after free issue was addressed with improved memory management.

CVE-2026-28969: Mihalis Haatainen, Ari Hawking, Ashish Kunwar

IOSurfaceAccelerator

Impact: An app may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2026-43655: Somair Ansar and an anonymous researcher

Kernel

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2026-43654: Vaagn Vardanian, Nathaniel Oh (@calysteon)

Kernel

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: A buffer overflow was addressed with improved input validation.

CVE-2026-28897: popku1337, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Robert Tran, Aswin kumar Gokulakannan

Kernel

Impact: An app may be able to gain root privileges

Description: An authorization issue was addressed with improved state management.

CVE-2026-28951: Csaba Fitzl (@theevilbit) of Iru

Kernel

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2026-28972: Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd., Ryan Hileman via Xint Code (xint.io)

Kernel

Impact: An app may be able to cause unexpected system termination

Description: A race condition was addressed with additional validation.

CVE-2026-28986: Chris Betz, Tristan Madani (@TristanInSec) from Talence Security, Ryan Hileman via Xint Code (xint.io)

Kernel

Impact: An app may be able to leak sensitive kernel state

Description: A logging issue was addressed with improved data redaction.

CVE-2026-28987: Dhiyanesh Selvaraj (@redroot97)

LaunchServices

Impact: A remote attacker may be able to cause a denial of service

Description: A type confusion issue was addressed with improved checks.

CVE-2026-28983: Ruslan Dautov

mDNSResponder

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: The issue was addressed with improved memory handling.

CVE-2026-43653: Atul R V

mDNSResponder

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: A null pointer dereference was addressed with improved input validation.

CVE-2026-28985: Omar Cerrito

mDNSResponder

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: A use after free issue was addressed with improved memory management.

CVE-2026-43668: Anton Pakhunov, Ricardo Prado

mDNSResponder

Impact: An attacker on the local network may be able to cause a denial-of-service

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2026-43666: Ian van der Wurff (ian.nl)

Model I/O

Impact: Processing a maliciously crafted image may corrupt process memory

Description: The issue was addressed with improved memory handling.

CVE-2026-28940: Michael DePlante (@izobashi) of TrendAI Zero Day Initiative

Networking

Impact: An attacker may be able to track users through their IP address

Description: This issue was addressed through improved state management.

CVE-2026-28906: Ilya Sc. Jowell A.

Quick Look

Impact: Parsing a maliciously crafted file may lead to an unexpected app termination

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2026-43656: Peter Malone

SceneKit

Impact: A remote attacker may be able to cause unexpected app termination

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2026-28846: Peter Malone

Screenshots

Available for: iPhone 15 and later

Impact: An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring

Description: A privacy issue was addressed by removing the vulnerable code.

CVE-2026-28963: Jorge Welch

Shortcuts

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed by adding an additional prompt for user consent.

CVE-2026-28993: Doron Assness

Spotlight

Impact: An app may be able to cause a denial-of-service

Description: This issue was addressed with improved checks to prevent unauthorized actions.

CVE-2026-28974: Andy Koo (@andykoo) of Hexens

Status Bar

Impact: An app may be able to capture a user's screen

Description: An issue with app access to camera metadata was addressed with improved logic.

CVE-2026-28957: Adriatik Raci

Storage

Impact: An app may be able to access sensitive user data

Description: A race condition was addressed with additional validation.

CVE-2026-28996: Alex Radocea

WebKit

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A validation issue was addressed with improved logic.

WebKit Bugzilla: 308906

CVE-2026-43660: Cantina

WebKit

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: The issue was addressed with improved input validation.

WebKit Bugzilla: 308675

CVE-2026-28907: Cantina

WebKit

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: This issue was addressed with improved access restrictions.

WebKit Bugzilla: 309698

CVE-2026-28962: Luke Francis, Vaagn Vardanian, kwak kiyong / kakaogames, Vitaly Simonovich, Adel Bouachraoui, greenbynox

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 307669

CVE-2026-43658: Do Young Park

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 308545

CVE-2026-28905: Yuhao Hu, Yuanming Lai, Chenggang Wu, and Zhe Wang

WebKit Bugzilla: 308707

CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Anonymous working with TrendAI Zero Day Initiative, Daniel Rhea

WebKit Bugzilla: 309601

CVE-2026-28904: Luka Rački

WebKit Bugzilla: 310880

CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative

WebKit Bugzilla: 310303

CVE-2026-28903: Mateusz Krzywicki (iVerify.io)

WebKit Bugzilla: 309628

CVE-2026-28953: Maher Azzouzi

WebKit Bugzilla: 309861

CVE-2026-28902: Tristan Madani (@TristanInSec) from Talence Security, Nathaniel Oh (@calysteon)

WebKit Bugzilla: 310207

CVE-2026-28901: Aisle offensive security research team (Joshua Rogers, Luigino Camastra, Igor Morgenstern, and Guido Vranken), Maher Azzouzi, Ngan Nguyen of Calif.io

WebKit Bugzilla: 311631

CVE-2026-28913: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 313939

CVE-2026-28883: kwak kiyong / kakaogames

WebKit

Impact: An app may be able to access sensitive user data

Description: This issue was addressed with improved data protection.

WebKit Bugzilla: 311228

CVE-2026-28958: Cantina

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved input validation.

WebKit Bugzilla: 310527

CVE-2026-28917: Vitaly Simonovich

WebKit

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 310234

CVE-2026-28947: dr3dd

WebKit Bugzilla: 312180

CVE-2026-28942: Milad Nasr and Nicholas Carlini with Claude, Anthropic

WebKit

Impact: A malicious iframe may use another website’s download settings

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 311288

CVE-2026-28971: Khiem Tran

WebRTC

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 311131

CVE-2026-28944: Kenneth Hsu of Palo Alto Networks, Jérôme DJOUDER, dr3dd

Wi-Fi

Impact: An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets

Description: A use after free issue was addressed with improved memory management.

CVE-2026-28994: Alex Radocea

WidgetKit

Impact: A user may be able to view restricted content from the lock screen

Description: A privacy issue was addressed with improved checks.

CVE-2026-28965: Abhay Kailasia (@abhay_kailasia) from Safran Mumbai India

zlib

Impact: Visiting a maliciously crafted website may leak sensitive data

Description: An information leakage was addressed with additional validation.

CVE-2026-28920: Brendon Tiszka of Google Project Zero

Additional recognition

App Intents

We would like to acknowledge Mikael Kinnman for their assistance.

Apple Account

We would like to acknowledge Iván Savransky, YingQi Shi (@Mas0nShi) of DBAppSecurity's WeBin lab for their assistance.

Audio

We would like to acknowledge Brian Carpenter for their assistance.

AuthKit

We would like to acknowledge Gongyu Ma (@Mezone0) for their assistance.

CoreUI

We would like to acknowledge Mustafa Calap for their assistance.

ICU

We would like to acknowledge an anonymous researcher for their assistance.

Kernel

We would like to acknowledge Ryan Hileman via Xint Code (xint.io), Suresh Sundaram, an anonymous researcher for their assistance.

libnetcore

We would like to acknowledge Chris Staite and David Hardy of Menlo Security Inc for their assistance.

Libnotify

We would like to acknowledge Ilias Morad (@A2nkF_) for their assistance.

Location

We would like to acknowledge Kun Peeks (@SwayZGl1tZyyy) for their assistance.

Mail

We would like to acknowledge Himanshu Bharti (@Xpl0itme) From Khatima for their assistance.

mDNSResponder

We would like to acknowledge Jason Grove for their assistance.

Messages

We would like to acknowledge Bishal Kafle, Jeffery Kimbrow for their assistance.

Multi-Touch

We would like to acknowledge Asaf Cohen for their assistance.

Notes

We would like to acknowledge Asilbek Salimov, Mohamed Althaf for their assistance.

Photos

We would like to acknowledge Abhay Kailasia (@abhay_kailasia) from Safran Mumbai India, Christopher Mathews for their assistance.

Safari Private Browsing

We would like to acknowledge Dalibor Milanovic for their assistance.

Shortcuts

We would like to acknowledge Jacob Prezant (prezant.us) for their assistance.

Siri

We would like to acknowledge Yoav Magid for their assistance.

UIKit

We would like to acknowledge Shaheen Fazim for their assistance.

WebKit

We would like to acknowledge Muhammad Zaid Ghifari (Mr.ZheeV), Kalimantan Utara, Qadhafy Muhammad Tera, Vitaly Simonovich for their assistance.

WebRTC

We would like to acknowledge Hyeonji Son (@jir4vv1t) of Demon Team for their assistance.

Wi-Fi

We would like to acknowledge Yusuf Kelany for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: May 11, 2026