Apple released iOS 26.1 and iPadOS 26.1, addressing multiple vulnerabilities that could lead to privacy breaches, app crashes, and potential data leaks for iPhone and iPad users.
The update targets devices starting from the iPhone 11 series and various iPad models, including the iPad Pro (3rd generation 12.9-inch and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).
This release underscores Apple's ongoing commitment to rapid response against evolving threats, especially as cyber risks intensify in an era of advanced malware and targeted attacks.
The patches address over 50 issues across core components like WebKit, the Kernel, and Accessibility features. Many stem from memory corruption risks, privacy issues, and sandbox escapes, which could allow malicious apps to snoop on user data or destabilize the system.
Security researchers from ByteDance, Trend Micro's Zero Day Initiative, Google, and independent experts discovered most flaws, highlighting the collaborative nature of vulnerability hunting in the iOS ecosystem.
Several fixes focus on preventing apps from overstepping boundaries, a common vector for data theft. For instance, in Accessibility (CVE-2025-43442), a permissions flaw let apps detect other installed applications, potentially enabling fingerprinting.
Apple mitigated this with stricter restrictions. Similarly, the Apple Account component (CVE-2025-43455) blocked malicious apps from screenshotting sensitive info in embedded views through enhanced privacy checks.
In the Kernel and Apple Neural Engine, memory handling improvements (CVE-2025-43398, CVE-2025-43447, CVE-2025-43462) prevent unexpected crashes or kernel corruption, which could lead to denial-of-service attacks.
Assets and CloudKit updates (CVE-2025-43407, CVE-2025-43448) reinforce sandbox integrity by validating symlinks more rigorously and preventing apps from escaping their confines to access protected files.
Contacts and Photos also received logging and temporary file tweaks (CVE-2025-43426, CVE-2025-43391) to redact sensitive data and curb unauthorized access. A notable fix in Stolen Device Protection (CVE-2025-43422) adds logic to prevent physical attackers from disabling the feature, vital for protecting lost or stolen devices.
WebKit, powering Safari and web views, dominates the update with fixes for crashes, memory corruption, and cross-origin data exfiltration.
A use-after-free vulnerability (CVE-2025-43438) could crash Safari via malicious content, while buffer overflows (CVE-2025-43429) risked arbitrary code execution.
Apple addressed these through better memory management, bounds checking, and disabling risky optimizations like array allocation sinking (CVE-2025-43421).
Privacy threats include keystroke monitoring (CVE-2025-43495) and cross-origin image theft in Canvas (CVE-2025-43392). Visiting spoofed sites could trick users (CVE-2025-43493, CVE-2025-43503), now countered with UI state improvements.
Other components like Camera, Siri, and Text Input received targeted patches for logic flaws and lock screen leaks (CVE-2025-43450, CVE-2025-43454, CVE-2025-43452).
Experts urge immediate updates, as unpatched devices remain vulnerable to zero-day exploits. Apple's security page details all fixes, crediting researchers under its bounty program. With iOS 26.1, users gain stronger defenses against a landscape rife with sophisticated threats.