Lifestyle

Apple Is Changing How It Issues Security Updates Due to Threats From AI

Apple Is Changing How It Issues Security Updates Due to Threats From AI
Image: lifehacker.com

We may earn a commission from links on this page.

While the tech world's collective attention is currently fixed on iOS 27, Apple is still churning out updates to iOS 26. While we're not likely to get another feature-filled release in the "26" era, there will always be bugs and security flaws to squash whenever Apple or third-party researchers discover them. Case in point: On Monday, Apple dropped iOS 26.5.2, which includes fixes for 29 security vulnerabilities.

More interesting than what bugs these patches fix, however, is that the company didn't originally intend to release them yet. In fact, iOS 26.5.2 marks a stark change in how Apple rolls out security updates, in large part due to potential threats from new AI models.

Apple is changing how it handles security updates

iOS 26.5.2 wasn't always meant to be. Apple told Reuters earlier this week that these patches were actually meant for a future version of iOS—perhaps iOS 26.6—but the company is now changing how it handles security updates going forward, specifically due to the security threats of models like Anthropic's Claude Mythos. These models can easily detect security vulnerabilities in software earlier than human researchers, and, as such, Apple feels it necessary to release patches as soon as they're available. Traditionally, the company bundles security patches with its typical software updates, as opposed to other companies that separate security patches from feature updates. But as these new AI models spread, and the risk of bad actors discovering security vulnerabilities grows, Apple will now release new patches much sooner than it normally would.

As such, you should expect to see more updates appear on your Apple devices than in the past. I wouldn't be surprised to see iOS 26.5.3 hit the scene before an iOS 26.6, and Apple may release more "iOS 26" updates than usual before iOS 27 drops this fall. You should always update your devices whenever those updates become available, as the threat from AI security models really is significant.

Here's what iOS 26.5.2 patches

First, the good news: None of these vulnerabilities appears to be a "zero-day." A zero-day is a security flaw that is publicly disclosed or actively exploited before the software developer has a chance to issue a patch. They're especially dangerous, since it gives hackers the advantage: They can attempt to find an exploit—or, worse, take advantage of that exploit—for as long as it takes the developer to issue an update, and for its user base to install it. Luckily, none of these flaws appear to qualify, meaning this isn't a mission-critical situation. Still, any unpatched security flaw is concerning, and now that these are disclosed, it's only a matter of time before someone figures out how to exploit them—especially when assisted by new AI models. As such, it's important to install iOS 26.5.2 as soon as possible.

According to Apple's official security release notes, iOS 26.5.2 (and iPadOS 26.5.2) patches 29 security flaws. Many of the flaws have to do with how WebKit, Apple's engine that powers Safari, secures user data. You'll see some flaws that could expose sensitive data if the user processes malicious web content (e.g., if you click a fraudulent link), as well as one vulnerability that could leak sensitive data just by visiting a website, even if that site isn't necessarily malicious. Another patch handles a flaw that would let malicious websites process data outside of the "sandbox," or the secure element that Apple keeps websites in so they don't venture into secure parts of iOS, while another patches a flaw that could steal clipboard data without your knowledge.

You'll find all 29 patches listed below, along with a description, the fix, and the CVE (Common Vulnerabilities and Exposures) number used to track them. Again, none of these flaws has a known active exploit.

  1. IOGPUFamily: An app may be able to cause unexpected system termination. A race condition was addressed with improved state handling. CVE-2026-43743: Lyutoon, Dun

  2. Kernel: An app may be able to cause unexpected system termination or write kernel memory. The issue was addressed with improved input sanitization. CVE-2026-43724:

  3. Kernel: An app may be able to leak sensitive kernel state. The issue was addressed with improved input sanitization. CVE-2026-43722.

  4. Kernel: An app may be able to cause unexpected system termination or corrupt kernel memory. This issue was addressed with improved input validation. CVE-2026-39868.

  5. libxslt: Processing maliciously crafted web content may lead to an unexpected process crash. A double free issue was addressed with improved memory management. CVE-2026-43706.

  6. libxslt: Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-43703.

  7. Web Extensions: A malicious web extension may be able to cause an unexpected process crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43704.

  8. WebKit: Processing maliciously crafted web content may disclose sensitive user information. A cross-origin issue was addressed with improved tracking of security origins. CVE-2026-43700.

  9. WebKit: A malicious website may exfiltrate data cross-origin. The issue was addressed with improved checks. CVE-2026-43735.

  10. WebKit: Processing maliciously crafted web content may lead to an unexpected process crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43734/CVE-2026-43726/CVE-2026-43709/CVE-2026-43699/CVE-2026-43742.

  11. WebKit: Processing maliciously crafted web content may disclose sensitive user information. A path handling issue was addressed with improved validation. CVE-2026-43732.

  12. WebKit: Processing maliciously crafted web content may lead to memory corruption. A use-after-free issue was addressed with improved memory management. CVE-2026-43731/CVE-2026-43715.

  13. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43727.

  14. WebKit: A malicious website may be able to process restricted web content outside the sandbox. The issue was addressed with improved input validation. CVE-2026-43725.

  15. WebKit: Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. CVE-2026-43663/CVE-2026-39872/CVE-2026-43712.

  16. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. The issue was addressed with improved memory handling. CVE-2026-43716.

  17. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. An out-of-bounds access issue was addressed with improved bounds checking. CVE-2026-43676.

  18. WebKit: Processing maliciously crafted web content may result in the disclosure of process memory. The issue was addressed with improved memory handling. CVE-2026-43740.

  19. WebKit: Visiting a website may leak sensitive data. A permissions issue was addressed with additional restrictions. CVE-2026-43713.

  20. WebKit: A malicious website may exfiltrate data cross-origin. The issue was addressed with improved input validation. CVE-2026-43708.

  21. WebKit: Processing maliciously crafted web content may lead to an unexpected process crash. A memory corruption issue was addressed with improved memory handling. CVE-2026-43707.

  22. WebKit: Processing maliciously crafted web content may lead to memory corruption. A type confusion issue was addressed with improved checks. CVE-2026-43705.

  23. WebKit: A malicious website may be able to process restricted web content outside the sandbox. The issue was addressed with improved checks. CVE-2026-43701.

  24. WebKit: Processing maliciously crafted web content may lead to an unexpected Safari crash. An out-of-bounds write issue was addressed with improved input validation. CVE-2026-43745.

  25. WebKit Canvas: Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43720.

  26. WebKit Storage: A malicious website may be able to silently hijack clipboard data. This issue was addressed through improved state management. CVE-2026-43721.

  27. WebRTC: Processing maliciously crafted web content may lead to an unexpected process crash. An out-of-bounds access issue was addressed with improved bounds checking. CVE-2026-28979.

  28. WebRTC: Processing maliciously crafted web content may lead to an unexpected Safari crash. A stack overflow was addressed with improved input validation. CVE-2026-43718.

  29. WebRTC: Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. CVE-2026-43717/CVE-2026-43746.

How to update to iOS 26.5.2

Installing this security patch is the same as any other iOS update. If you have Automatic Updates enabled, the OS should update on its own in due time. However, you can manually kick-start the process by heading to General > Software Update and following the on-screen instructions.

This is a preview from the original publisher. Continue reading at the source:

Read Full Article on lifehacker.com →

More News