Apple addresses more than 100 vulnerabilities in security updates for iPhones, Macs and iPads
Apple disclosed an exceptionally high number of vulnerabilities in core services and components used across its most popular devices, as the tech giant addressed 105 vulnerabilities in MacOS 26.1 and 56 vulnerabilities with the release of iOS 26.1 and iPadOS 26.1.
The company’s latest security update includes some flaws that affect software spanning iPhones, Macs and iPads. Apple did not report active exploitation of any vulnerabilities it patched Monday.
Apple’s vulnerability disclosure strategy remains a challenge and point of contention for outside threat researchers who are trying to gauge which vulnerabilities to prioritize for further review. The company doesn’t follow the Common Vulnerability Scoring System and provides minimal details about the potential impact and description of each vulnerability.
“As always, I get frustrated when reading Apple updates as they don’t provide any severity rating,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop. “I understand not wanting to use CVSS, but if they would at least call out the critical and high-severity bugs, it would be greatly appreciated.”
Apple customers have experienced a respite from zero-day vulnerabilities, following a steady pace of emergency software updates earlier this year. The company has addressed five actively exploited zero-days this year, including defects previously disclosed in January, February, March, April and August.
The Cybersecurity and Infrastructure Security Agency has added eight Apple defects to its known exploited vulnerabilities catalog this year.
Childs said he was particularly surprised by the size of Apple’s security release and the number of fixes for WebKit, the open-source web browser engine used across the vendor’s products.
Seven of the WebKit defects described the potential of an unexpected process crash from the processing of maliciously crafted web content.
“I was also disappointed to read some of the descriptions of CVEs played down or didn’t specifically call out the chance for arbitrary code execution,” Childs said.
Apple also patched 21 defects with the release of Safari 26.1, 43 vulnerabilities in visionOS 26.1, 32 bugs in watchOS 26.1 and two defects in Xcode 26.1.
More information about the vulnerabilities and latest software versions are available on Apple’s security release site.
