iOS 26.2 update: Here is what Apple fixed in its latest security patch and how to stay safe

Apple has disclosed a wide-ranging set of security vulnerabilities affecting recent iPhone and iPad models, warning that some of the flaws could allow access to sensitive data, device crashes, or in rare cases, full system compromise.

The details were published on Apple’s support page on Friday as part of its latest security update.

Devices affected

According to Apple, the issues affect iPhone 11 and newer models, along with several iPad lines. These include iPad Pro models from the 3rd generation onwards, iPad Air from the 3rd generation, iPad from the 8th generation, and iPad mini from the 5th generation.

App Store and privacy risks

One of the vulnerabilities relates to the App Store, where a permissions flaw could have allowed an app to access sensitive payment tokens. Apple said the issue has now been fixed by tightening restrictions.

Similar permission and logging issues were addressed across system components such as Icons, Messages, MediaExperience, Screen Time, Telephony and Photos. In some cases, apps could have accessed private user data, Safari history, or information about other installed apps.

Kernel and system-level flaws

Apple also fixed a serious issue in the kernel that could have allowed a malicious app to gain root privileges. The company said this was caused by an integer overflow problem, which has now been resolved by moving to 64-bit timestamps.

Other low-level components, including Foundation, Multi-Touch, libarchive and AppleJPEG, contained memory corruption bugs that could trigger app crashes or unexpected behaviour when processing malicious data or files.

FaceTime and calling concerns

Several fixes relate to FaceTime and the Calling Framework. These included issues where password fields could be exposed during remote device control sessions, and another flaw that could allow an attacker to spoof a FaceTime caller ID. Apple said improved state management resolved both problems.

WebKit vulnerabilities and targeted attacks

A large number of the disclosed issues affect WebKit, the browser engine used by Safari. Apple warned that maliciously crafted web content could cause crashes, memory corruption, or in the most serious cases, arbitrary code execution.

The company acknowledged reports that at least two WebKit vulnerabilities may have been exploited in “extremely sophisticated” targeted attacks against specific individuals on older versions of iOS, prior to iOS 26. These issues have now been patched.

Open source components

Some vulnerabilities originated in open source software used by Apple, including curl and libarchive. Apple noted that these issues were assigned CVE identifiers by third parties and that its software was among the affected projects.

Security update advised

Apple has not indicated that the majority of the vulnerabilities were exploited at scale, but it is urging users to update their devices to the latest software versions to ensure protection against the disclosed flaws.