Update Now: iOS 26.2 Fixes 20+ Security Vulnerabilities

[MacRumors]

Apple today released iOS 26.2, iPadOS 26.2, and macOS 26.2, all of which introduce new features, bug fixes, and security improvements. Apple says that the updates address over 20 vulnerabilities, including two bugs that are known to have been actively exploited.

There are a pair of WebKit vulnerabilities that could allow maliciously crafted web content to execute code or cause memory corruption. Apple says that the bugs might have been exploited in an attack against targeted individuals on versions of iOS before iOS 26.

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.

Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.

One of the WebKit bugs was fixed with improved memory management, while the other was addressed with improved validation.

There are several other vulnerabilities that were fixed too, across apps and services. An App Store bug could allow users to access sensitive payment tokens, processing a malicious image file could lead to memory corruption, photos in the Hidden Album could be viewed without authentication, and passwords could be unintentionally removed when remotely controlling a device with FaceTime.

Now that these vulnerabilities have been publicized by Apple, even those that were not exploited before might be taken advantage of now. Apple recommends all users update their devices to iOS 26.2, iPadOS 26.2, and macOS Tahoe 26.2 as soon as possible.

Article Link: Update Now: iOS 26.2 Fixes 20+ Security Vulnerabilities

 

[turbineseaplane]

This is so predictable ..

Better not stay behind ... we just found a very scary vulnerability (amazing timing!).. so scary, we won't fix it anywhere else .. you have to come get it on FisherPriceOS 26.2

 

[jz0309]

THAT is why I update, not for the features that have been described so many times here.
But that's just me

 

[jz0309]

This is so predictable ..

Better not stay behind ... we just found a very scary vulnerability (amazing timing!).. so scary, we won't fix it anywhere else .. you have to come get it on iOS Fischer Price 26.2

Every OS upgrade regardless of platform does this, or not?

 

[t0rqx]

Does this fix the static noises emitted from the bottom speaker on iPhone 17 Pro (Max) models when charging the phone?

 

[polyphenol]

All three updates are currently downloading/preparing right now for me in the UK.

 

[HouseLannister]

Every OS upgrade regardless of platform does this, or not?

Android is so componentized that individual parts of the OS are patched daily. The OS is updated quarterly just like Apple, but those are feature updates and not security patches. Meanwhile Apple delays releasing security fixes for weeks that are being actively exploited because they are also trying to make a transparency slider for the clock and can't do those two things separately. In the last 24 hours, my Pixel has updated the Phone app, the Google app, Google Drive, Google Translate, Voice Access, Android AICore, Google Messages, Gboard, Pixel Camera, and Google Wallet. And that's a pretty typical day. The security is outstanding on Android because of how they structured their OS and the flexibility it gives them.

 

[bmark]

Apple fixes 20+ security vulnerabilities is just marketing fluff for their inability to innovate anymore!

 

[jgba]

In other words, if you're still on Sequoia, switch to another browser (Firefox is good). Stop using Safari.

Because, guess what: even though they updated Sequoia today, it does not include fixes for these "actively exploited" vulnerabilities, according to Apple's "security content" notes. Gee, thanks.

edit: this is now listed in the Safari 26.2 security content notes for Sequoia, I didn't see it listed when I checked but maybe I missed it.

 

[jgba]

This is so predictable ..

Better not stay behind ... we just found a very scary vulnerability (amazing timing!).. so scary, we won't fix it anywhere else .. you have to come get it on FischerPriceOS 26.2

These vulnerabilities were reported by a third-party. Obviously Apple isn't lying about them.

 

[froot1988]

When will they fix the laggy keyboard? iOS 31?

 

[ifxf]

THAT is why I update, not for the features that have been described so many times here.
But that's just me

How many new security vulnerabilities has Apple created in this release?

 

[MikesGravity]

Typing still sucks on my 17 Pro

 

[Diopter]

And some of the security fixes were included in 18.7.3 too...

But so far 18.7.3 hasn't been released for iPhones that are capable of upgrading to iOS 26, even if they're still on 18.7.2. It's currently only available to devices that can't upgrade to iOS 26.

I hope that's a temporary error and not a deliberate move by Apple to force users to update to iOS 26.

 

[justanotherdave]

This is so predictable ..

Better not stay behind ... we just found a very scary vulnerability (amazing timing!).. so scary, we won't fix it anywhere else .. you have to come get it on FischerPriceOS 26.2

Ridiculous.

If you had bothered to read the actual notes for the security updates you’ll see most were discovered by third party security researchers.

I suppose they were all in this together with Apple as some way to force people to upgrade? 🙄

 

[B4U]

Meanwhile, iOS 18.7.3 is only available to devices not compatible with iOS 26.

On the other hand, iOS 26.1 has been riddled with minor UI bugs that is not even funny.

 

[justanotherdave]

Android is so componentized that individual parts of the OS are patched daily. The OS is updated quarterly just like Apple, but those are feature updates and not security patches. Meanwhile Apple delays releasing security fixes for weeks that are being actively exploited because they are also trying to make a transparency slider for the clock and can't do those two things separately. In the last 24 hours, my Pixel has updated the Phone app, the Google app, Google Drive, Google Translate, Voice Access, Android AICore, Google Messages, Gboard, Pixel Camera, and Google Wallet. And that's a pretty typical day. The security is outstanding on Android because of how they structured their OS and the flexibility it gives them.

Sorry but this is simply not true. If you check out the Android Dashboard and read up on the most severe vulnerabilities they are patched along with Android (via OEMs) and not on a daily basis.

Google has been trying (for years) to make it so they can directly update devices, but they have a long way to go.

Edited: added the text “most severe” I left out of my OP.

 

[jgba]

And some of the security fixes were included in 18.7.3 too...

But so far 18.7.3 hasn't been released for iPhones that are capable of upgrading to iOS 26, even if they're still on 18.7.2. It's currently only available to devices that can't upgrade to iOS 26.

I hope that's a temporary error and not a deliberate move by Apple to force users to update to iOS 26.

No, that's deliberate, it's always been like this.

 

[WarmWinterHat]

No, that's deliberate, it's always been like this.

It might be deliberate, but it’s not always been like that.

I’m sticking with iOS 18 regardless.

Sorry but this is simply not true. If you check out the Android Dashboard and read up on vulnerabilities they are patched along with Android (via OEMs) and not on a daily basis.

Google has been trying (for years) to make it so they can directly update devices, but they have a long way to go.

That’s why, if I switch to Android, I’ll stick the Pixel line.

 

[TVreporter]

Somehow my phone updated overnight to 26 — I did not want this and could have sworn I constantly hit cancel on any updates.

You got me Tim… and I hate this new keyboard and see through look.


So where’s 26.2? Not even an option to download yet.

 

[thejadedmonkey]

And some of the security fixes were included in 18.7.3 too...

But so far 18.7.3 hasn't been released for iPhones that are capable of upgrading to iOS 26, even if they're still on 18.7.2. It's currently only available to devices that can't upgrade to iOS 26.

I hope that's a temporary error and not a deliberate move by Apple to force users to update to iOS 26.

The best part is in the news article below this one

There are signs of "a new validation system that will check the integrity of the device before logging into Apple ID and iCloud."

I'd imagine a device on outdated software wouldn't pass.

 

[MacMan988]

Apple fixes 20+ security vulnerabilities is just marketing fluff for their inability to innovate anymore!

The fact that people were using their devices with 20+ security vulnerabilities is more interesting.
And I wonder how many security vulnerabilities they decided not to fix in the latest release

 

[justanotherdave]

That’s why, if I switch to Android, I’ll stick the Pixel line.

Pixels are the only devices that can almost match Apple for speed of updates. Almost.

 

[Diopter]

No, that's deliberate, it's always been like this.

It's always been possible to stay on the previous year's release and continue to receive the security point updates. Indeed, over the past few months it's been possible to update from 18.6 to 18.7 (when 26.0 was released) and then receive 18.7.1 and 18.7.2 despite 26.1 having been released.

In fact, right now iPadOS 18.7.3 is available to iPads that can run iPadOS 26, but for some reason iPhones don't have iOS 18.7.3 available if they can run iOS 26 - so it seems like a mistake. Supporting this theory, if you enable the iOS 18 beta track, iOS 18.7.3 then becomes available again.

 

[robvalentine]

Android is so componentized that individual parts of the OS are patched daily. The OS is updated quarterly just like Apple, but those are feature updates and not security patches. Meanwhile Apple delays releasing security fixes for weeks that are being actively exploited because they are also trying to make a transparency slider for the clock and can't do those two things separately. In the last 24 hours, my Pixel has updated the Phone app, the Google app, Google Drive, Google Translate, Voice Access, Android AICore, Google Messages, Gboard, Pixel Camera, and Google Wallet. And that's a pretty typical day. The security is outstanding on Android because of how they structured their OS and the flexibility it gives them.

And the components get updated long after the android version isn't. need a browser bug fixed? here you go via play store. Apple, We will fix it next month because it needs a full os update. Maybe that's why iOS browsers have to use webkit, and are essentially a safari wrapper, because the speed of updates would embarass Apple