iOS 26.5 fixes 60 security flaws

Apple released iOS 26.5 and iPadOS 26.5 on May 11, according to its security advisory, and the company said the software contains security fixes for a long list of vulnerabilities. Apple’s support document says the update applies to iPhone 11 and later, along with recent iPad models. (support.apple.com) Forbes reported on May 12 that the release fixes more than 60 flaws and urged users to install it quickly. Apple’s public notes for iOS 26.5 also say the update adds end-to-end encrypted RCS messaging in beta, a Pride Luminance wallpaper and other bug fixes. ### How broad is the security patch list in iOS 26.5? Apple’s advisory for iOS 26.5 spans dozens of components, from the Accelerate framework and Accounts to APFS, AppleJPEG and App Intents. (apple.com) Forbes said the total runs to more than 60 vulnerabilities, a figure that matches the scale of Apple’s unusually long support document for the release. Apple does not publish a single headline number in the advisory, but the document lists issue after issue with separate CVE identifiers and impact statements. May 11 is the release date Apple gives for iOS 26.5 and iPadOS 26.5. Apple says its practice is not to “disclose, discuss, or confirm” security issues until an investigation has taken place and patches are available, a policy the company says is meant to protect customers while updates are rolling out. (support.apple.com) ### Which kinds of flaws did Apple say it fixed? Apple’s support page says some of the patched issues could let an app cause a denial of service, bypass certain privacy preferences, trigger unexpected system termination or break out of its sandbox. The App Intents entry says a malicious app may be able to escape its sandbox, while the Accounts entry says an app may be able to bypass certain privacy preferences. (support.apple.com) The AppleJPEG and other media-related entries describe cases where processing maliciously crafted content could crash software or cause other failures. Forbes reported that the update includes about a dozen WebKit fixes and several kernel issues. (support.apple.com) The publication highlighted CVE-2026-28951, which it said could allow an app to gain root privileges, and said WebKit flaws included bugs involving maliciously crafted web content. ### Did Apple say any of these bugs were already being used in attacks? Apple’s iOS 26.5 advisory, as surfaced in the available support text, does not flag the listed issues as actively exploited. Forbes said Adam Boynton, senior enterprise strategy manager at Jamf, reviewed the mix of WebKit, kernel and sandbox-related flaws and said those are the kinds of components often chained together in mobile attacks, while also noting that none of the vulnerabilities patched in iOS 26.5 were reported as actively exploited. (support.apple.com) Google’s Threat Analysis Group and Anthropic researchers were among those credited in Forbes’ account of the advisory. (forbes.com) Forbes said one kernel bug was credited to Google’s Threat Analysis Group and a separate WebKit flaw to Anthropic researchers working with Claude. ### What else changed in iOS 26.5 besides security fixes? Apple’s iOS 26 update page says iOS 26.5 introduces support for end-to-end encrypted RCS messaging in beta with supported carriers and that the feature will roll out over time. The same page says the release adds a downloadable Pride Luminance wallpaper and “Suggested Places” in Maps based on nearby trends and recent searches. (forbes.com) Apple says some features may not be available in all regions or on all iPhone models. iPhone users can install the update through Settings, General and Software Update, according to coverage from Forbes and other Apple-focused outlets. (forbes.com) Apple’s support materials identify iPhone 11 and later as supported devices for iOS 26.5. ### When will Apple talk about the next iPhone software? Apple said on March 23 that WWDC 2026 will run online from June 8 through June 12. The company said the conference opens with the keynote and Platforms State of the Union on Monday, June 8, and that sessions will stream through the Apple Developer app, Apple’s website and YouTube. (support.apple.com) June 8 is the next scheduled Apple software milestone in public company materials. Apple said developers and students will also be able to attend a special in-person event at Apple Park that day, while additional conference details will be shared in advance through Apple’s developer channels. (support.apple.com) (apple.com)