Apple has disclosed a wide-ranging set of security vulnerabilities affecting recent iPhone and iPad models, warning that some of the flaws could allow access to sensitive data, device crashes, or in rare cases, full system compromise.
New Delhi
Apple has revealed a wide range of security vulnerabilities affecting recent iPhone and iPad models, warning that some flaws could allow unauthorized access to sensitive data, cause device crashes, or, in rare cases, result in full system compromise. The details were published on Apple’s support page as part of the iOS 26.2 security update released on Friday.
Affected Devices
The update addresses issues on iPhone 11 and newer, as well as several iPad models, including iPad Pro (3rd generation onwards), iPad Air (3rd generation onwards), iPad (8th generation), and iPad mini (5th generation).
App Store and Privacy Fixes
One critical vulnerability involved the App Store, where a permissions flaw could have allowed apps to access sensitive payment tokens. Apple has resolved this by tightening restrictions. Similar issues affecting system components such as Messages, Media Experience, Screen Time, Telephony, Photos, and Icons could have exposed private user data, Safari history, or details about other installed apps.
Kernel and System-Level Security
A major kernel flaw, caused by an integer overflow, could have allowed a malicious app to gain root access. Apple has addressed this by switching to 64-bit timestamps. Additional memory corruption bugs in low-level components like Foundation, Multi-Touch, libarchive, and Apple JPEG could trigger crashes or unexpected behaviour when processing malicious files or data.
FaceTime and Calling Vulnerabilities
iOS 26.2 also fixes issues in FaceTime and the Calling Framework, including exposure of password fields during remote device control and the potential to spoof FaceTime caller IDs. Apple says improved state management resolves these vulnerabilities.
WebKit and Targeted Attacks
Many of the disclosed vulnerabilities affect WebKit, the engine behind Safari. Malicious web content could lead to crashes, memory corruption, or even arbitrary code execution. Apple confirmed that at least two WebKit vulnerabilities may have been exploited in highly sophisticated targeted attacks against specific individuals on older iOS versions. These have now been patched.
Open Source Component Issues
Some flaws were traced to open-source components like curl and libarchive, with CVE identifiers assigned by third-party maintainers. Apple’s software was among the affected projects.
Update Recommended
While most vulnerabilities do not appear to have been widely exploited, Apple strongly urges users to update their devices to iOS 26.2 to safeguard against potential threats.
.webp "Representational Image")
.png)
