Apple has released security updates for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2, collectively addressing dozens of vulnerabilities across multiple system components. The updates represent one of the company’s more substantial patch cycles, with 37 fixes shipped in the operating system releases alone.

WebKit Dominates the Vulnerability Count

Of the 37 flaws patched in iOS, iPadOS, and macOS Tahoe, 26 reside in WebKit, Apple’s browser engine. Affected sub-components include WebKit Canvas and WebKit Storage. According to Apple’s advisories, these bugs could be triggered by visiting a malicious website and could lead to a range of consequences, including:

  • Data exfiltration and sensitive information leakage
  • Memory corruption and disclosure of process memory
  • Clipboard data hijacking
  • Processing restricted web content outside the sandbox
  • Safari crashes

The remaining 11 flaws affect other OS components, including IOGPUFamily, the kernel, libxslt, Web Extensions, and WebRTC. Those issues could result in system crashes, kernel memory writes, kernel state disclosure, kernel memory corruption, and process crashes.

AI-Assisted Vulnerability Discovery

Apple’s advisories note that at least four of the patched vulnerabilities were identified with the assistance of AI tools. Researchers from Anthropic and OpenAI Codex Security are credited with reporting those findings, marking a notable example of AI-assisted security research contributing to a major vendor’s patch cycle.

Safari Update Extends Coverage to Older macOS Versions

Safari 26.5.2 was released separately and patches 31 vulnerabilities spanning Web Extensions, WebKit, WebKit Canvas, WebKit Storage, and WebRTC. This update extends the fixes to users running macOS Sonoma and macOS Sequoia, after the patches were initially made available through the macOS Tahoe 26.6 beta channel.

No Active Exploitation Reported, But Urgency Remains

Apple states that none of the addressed vulnerabilities are known to be actively exploited at the time of release. However, the company’s products have historically been targeted by threat actors shortly after public disclosure, particularly when WebKit flaws are involved. Security professionals should prioritize deploying these updates promptly, given that the majority of the issues can be triggered simply by visiting a crafted website, requiring no additional user interaction beyond normal browsing.