Apple has released iOS 26.5, and while the update carries a handful of visible new features, the real story sits in the fine print. The accompanying security document lists more than 50 vulnerabilities patched across the operating system, touching everything from the kernel to Safari’s underlying engine. If you have been putting off that “Software Update” notification, this is the release to stop scrolling past.
What Apple Actually Fixed
Apple rarely explains its security patches in plain language. The company’s official policy is to withhold technical detail on a flaw until a fix has already reached users, which limits how much attackers can learn from an unpatched device. Even so, the published notes for iOS 26.5 point to several categories worth knowing about.
WebKit vulnerabilities. Ten separate flaws were found in WebKit, the engine that powers Safari and renders web content inside countless other apps on iPhone. Several of these could have let a malicious website access sensitive data or crash the browser outright, which is precisely the kind of bug that matters to ordinary users who never touch a line of code. Because WebKit sits underneath so much of iOS, a flaw here is not limited to Safari; any app that opens a link or displays web content can be exposed.
Kernel issues. A number of the patched bugs live in the kernel, the core layer that controls how the entire device behaves. Flaws at this level carry more weight than a typical app bug, since a successful exploit could allow an attacker to read protected memory or destabilise the system.
Image handling bugs. Apple also closed several vulnerabilities tied to how iOS processes images, an area that has been a recurring target in past spyware campaigns because a booby-trapped image can sometimes trigger code execution without the user tapping anything.
Shortcuts, Spotlight, and screenshots. Less headline-grabbing but still notable, the update addresses issues connected to the Shortcuts app, Spotlight search, and how the system handles screenshots, all areas that touch personal data in ways users rarely think about.
Apple has stated that none of the vulnerabilities fixed in iOS 26.5 were known to have been actively exploited before the patch shipped. That is reassuring, but it comes with a catch worth understanding.
Why “Not Exploited Yet” Doesn’t Mean “Safe to Wait”
Once Apple publishes a security bulletin, it effectively hands attackers a map. Security researchers and criminal groups alike read these documents closely, comparing the patched code against the previous version to work out exactly what was broken and how it might be abused. Devices that have not installed the update become easier targets the longer that gap exists. This is the main reason security professionals consistently recommend installing these updates within days, rather than waiting for a convenient moment.
Which Devices Are Covered
iOS 26.5 and its iPadOS counterpart are available for a wide range of hardware, and Apple has also pushed out matching security-only updates for people who have not moved to iOS 26.
Supported for the full iOS 26.5 update:
- iPhone 11 through iPhone 17 series, including the Pro, Pro Max, and Plus variants
- iPhone Air and iPhone SE (2nd generation) and later
- iPad Pro (12.9-inch, 3rd generation and later; 11-inch, 1st generation and later)
- iPad Air (3rd generation and later)
- iPad (8th generation and later)
- iPad mini (5th generation and later)
For devices still on older software, Apple simultaneously released iOS 18.7.9, iPadOS 17.7.11, iOS 16.7.16, iPadOS 16.7.16, iOS 15.8.8, and iPadOS 15.8.8, along with security patches for macOS Sonoma and macOS Sequoia. Anyone unable to jump to iOS 26 for hardware reasons is still covered, so there is no good reason to remain unpatched regardless of which iPhone model you carry.
Beyond iPhone and iPad, Apple rolled out nearly 70 separate security fixes in macOS Tahoe 26.5, making this one of the broader patch cycles across the company’s product line in recent months.
A Feature Worth Mentioning: RCS Encryption Finally Arrives
Buried alongside the security fixes is a genuinely useful addition. iOS 26.5 brings end-to-end encryption for RCS messages exchanged between iPhone and Android devices, a feature Apple confirmed is now live for everyone rather than limited to a small beta group. Green-bubble conversations between iPhone and Android users have historically lacked the same protection as iMessage, so this closes a long-standing gap, even if the rollout is still described as an early-stage implementation.
The update also introduces interoperability changes for third-party wearables in the European Union, part of Apple’s continued compliance with the EU’s Digital Markets Act. European iPhone owners using non-Apple accessories now get access to proximity pairing and other features previously reserved for Apple Watch and AirPods.
How to Install iOS 26.5
Updating takes a few minutes and requires no special skill:
- Open Settings on your iPhone or iPad.
- Tap General, then Software Update.
- Select Update Now (or Download and Install if prompted).
- Enter your passcode if asked, and keep the device connected to Wi-Fi with reasonable battery life while it installs.
Backing up to iCloud or a computer first is good practice before any major system update, even a routine one.
Apple Didn’t Stop There: iOS 26.5.2 Followed Weeks Later
Since iOS 26.5 shipped in May, Apple has continued patching at an unusually fast pace. On 29 June 2026, the company released iOS 26.5.2, a security-only update addressing close to 30 further vulnerabilities, again concentrated in WebKit and the kernel, with additional fixes for WebRTC, libxslt, and IOGPUFamily. Unlike a typical point release, this one skipped feature changes entirely and existed purely to close gaps before the scheduled iOS 26.6 release.
What stands out about iOS 26.5.2 is the credit list. Alongside the usual roster of independent researchers, Apple acknowledged security teams from Anthropic, OpenAI’s Codex Security effort, and NVIDIA’s AI red team for helping identify some of the flaws, including memory corruption bugs in WebKit. Reports suggest Apple pulled these fixes out of the normal release cycle specifically because AI-assisted vulnerability discovery is shortening the window between a flaw being found and it being exploited. Expect more frequent, smaller security updates going forward rather than everything being saved for the next big numbered release.
The Bottom Line
Fifty-plus vulnerabilities in a single update is a large number, but it also reflects how seriously Apple treats the unglamorous work of closing security gaps most users never see. None of the fixes in iOS 26.5 addressed bugs known to be under active attack, yet the safest habit remains the same one security experts have repeated for years: update promptly, turn on automatic updates if you haven’t already, and don’t assume “nothing happened yet” means nothing will.
Frequently Asked Questions
Is iOS 26.5 safe to install?
Yes. Apple has confirmed none of the vulnerabilities patched in iOS 26.5 were exploited before the fix shipped, and the update is recommended for all eligible devices.
Which iPhones can install iOS 26.5?
iPhone 11 and later, including the iPhone Air, iPhone SE (2nd generation and later), and all models in the iPhone 12 through 17 lineups.
What happens if I don’t update?
Once a security bulletin is public, attackers can study the difference between old and patched code to build exploits targeting unpatched devices. Delaying an update increases risk over time rather than reducing it.
Is there a newer update than iOS 26.5?
Yes. Apple released iOS 26.5.2 on 29 June 2026, a security-only patch addressing close to 30 additional vulnerabilities, mostly in WebKit and the kernel.
Does iOS 26.5 add new features, or is it just security fixes?
Both. Alongside the security patches, iOS 26.5 introduces end-to-end encrypted RCS messaging between iPhone and Android, plus third-party wearable interoperability changes for EU users.

