Apple releases iOS/iPadOS 26.5 with dozens of security patches

Apple’s new iPhone and iPad update is really two stories at once. One is the boring but important one — a big pile of security fixes. The other is the part regular people will actually notice — some green-bubble RCS chats with Android phones can now be end-to-end encrypted. Both landed in iOS 26.5 and iPadOS 26.5 on May 11. ### What actually shipped? Apple pushed iOS 26.5 and iPadOS 26.5 to supported devices on Monday, May 11, 2026. The security advisory covers iPhone 11 and later, plus recent iPad Pro, iPad Air, iPad, and iPad mini models. This is a standard point release on paper, but it is not a tiny cleanup patch. ### Why are people calling this a security release? Because the advisory is long. (support.apple.com) Very long. Apple’s iOS 26.5 security page lists fixes across a wide spread of components, not one isolated bug. The visible examples near the top already show the pattern: one issue could let an app trigger a denial of service, another could let an app bypass certain privacy preferences, another could cause unexpected system termination, and another could let a malicious app break out of its sandbox. That is the kind of list IT teams care about, because it touches both stability and containment. ### What kinds of bugs got fixed? A mix of ugly, low-level problems. Apple calls out out-of-bounds reads, buffer overflows, permissions issues, and logic flaws in the advisory. There are also image-processing bugs — the kind that matter because simply handling hostile content can be enough to crash software or open a path to worse behavior. Apple does not frame these as one active emergency exploit chain, but the breadth matters. Dozens of smaller holes across the OS add up to a larger attack surface. (support.apple.com) ### What’s the RCS change? This is the user-facing headline. Starting with iOS 26.5, Apple began rolling out end-to-end encrypted RCS messaging in beta. That means some iPhone-to-Android chats using RCS — the newer standard that replaces plain SMS for richer texting — can now be protected so messages cannot be read in transit between devices. Apple says users will see a lock icon in encrypted RCS conversations, and encryption is on by default where supported. (support.apple.com) ### Is every green-bubble chat encrypted now? No — and that’s the catch. RCS is still a carrier-provided service, so encryption depends on carrier support on both sides of the conversation. Apple is explicit about this: even if your carrier supports encrypted RCS, the chat is only encrypted when the other person’s carrier supports it too. If you do not see the lock icon and “Encrypted” indicator, the conversation is not getting that protection. (apple.com) ### Why does that matter so much? Because cross-platform texting has been the awkward gap in Apple’s messaging story for years. iMessage already had end-to-end encryption inside the Apple world. SMS did not. Early RCS support improved media quality and typing indicators, but not this privacy layer. iOS 26.5 starts closing that gap — not completely, but enough that iPhone and Android users can finally get something closer to modern secure messaging without switching apps. (support.apple.com) ### Who should update first? Basically everyone, but especially companies managing fleets of iPhones and iPads. When an update fixes dozens of bugs across permissions, sandboxing, file systems, and content parsing, delay stops being a convenience choice and starts looking like avoidable exposure. Regular users should update for the same reason — this is exactly the kind of release where “I’ll do it later” ages badly. (apple.com) ### Bottom line? iOS 26.5 is not flashy, but it is one of those releases that quietly matters. It closes a lot of security holes, and it makes at least some iPhone-to-Android texting meaningfully more private. That is a solid update — and one worth installing quickly. (support.apple.com)