Back to news
Cybersecurity Alert
July 8, 2026 by EmailMeNow IT Consulting

Apple Patches macOS Tahoe, iOS, and Safari — 37 WebKit Fixes, 4 Found by AI

Apple's June 29, 2026 security updates for iOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2 fix 37 unique CVEs — mostly WebKit flaws public for weeks. Audits score apple.com at 70% and webkit.org at 70%, with 15% transport on both.

Source: Apple Security Updates / Zero Day Initiative

NewsAppleSafariWebKitmacOSiOSVulnerability DisclosureCybersecurity
Apple security update for macOS Tahoe iOS and Safari patching WebKit browser vulnerabilities

Apple has released a security-only update wave for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2 — patching dozens of browser-related vulnerabilities that had been public knowledge for weeks before the fixes shipped on June 29, 2026.

TidBITS describes the release as focused on WebKit and related technologies, with fixes also backported to Safari 26.5.2 on macOS Sequoia and Sonoma. The Zero Day Initiative counted 37 unique CVEs across the platform updates — 31 of 37 reachable through malicious web content.

Four WebKit flaws were discovered using AI security tools including Anthropic Claude and OpenAI Codex, per Security Affairs — a signal that both defenders and attackers are accelerating browser bug discovery.

Official security content: macOS Tahoe 26.5.2

What Apple Shipped

UpdateRelease datePrimary focus
iOS 26.5.2June 29, 2026WebKit, kernel, GPU drivers
iPadOS 26.5.2June 29, 2026Same security content as iOS
macOS Tahoe 26.5.2June 29, 2026WebKit + kernel + system libraries
Safari 26.5.2June 29, 2026WebKit for macOS Sequoia & Sonoma users

Apple notes these fixes were first available in the macOS Tahoe 26.6 / iOS 26.6 betas before landing in the 26.5.2 security backports — meaning beta testers received patches before general-release users on 26.5.x.

How to Update Your Mac, iPhone, and iPad

These are security-only releases — install them even if you are not ready for a major feature upgrade.

macOS Tahoe → 26.5.2

StepAction
1Click the Apple menuSystem Settings
2Open GeneralSoftware Update
3If macOS Tahoe 26.5.2 appears, click Update Now (or Upgrade Now if labeled)
4Enter your Mac password when prompted and allow the Mac to restart
5After reboot, return to System Settings → General → Software Update — it should report “macOS Tahoe 26.5.2” and “Your Mac is up to date”

Apple menu shortcut: System Settings → General → About shows the current macOS version.

macOS Sequoia or Sonoma → Safari 26.5.2 only

If you are not on macOS Tahoe, you still need the Safari security update:

StepAction
1Apple menuSystem SettingsGeneralSoftware Update
2Install Safari 26.5.2 when offered
3Open Safari → menu bar SafariAbout Safari — confirm version 26.5.2

Safari updates on older macOS releases are delivered through Software Update, not the Mac App Store.

iPhone and iPad → iOS / iPadOS 26.5.2

StepAction
1Open Settings
2Tap GeneralSoftware Update
3Tap Update Now on iOS 26.5.2 or iPadOS 26.5.2
4Connect to Wi‑Fi and keep the device plugged in if the download is large
5After restart, go back to Settings → General → AboutSoftware Version should read 26.5.2

Automatic Updates (recommended): Settings → General → Software Update → Automatic Updates → turn on Download iOS Updates and Install iOS Updates so security-only releases apply overnight on Wi‑Fi.

Verify Safari and WebKit are patched

DeviceHow to check
MacSafari → About Safari → version 26.5.2
iPhone / iPadSafari version tracks the OS — confirm 26.5.2 under Settings → General → About
MDM-managed fleetJamf / Intune compliance policy should flag any device below 26.5.2

If no update appears

SituationWhat to try
”Up to date” but version is older than 26.5.2Restart the device, confirm Settings → General → Date & Time → Set Automatically, then check again in 24 hours
MDM deferralAsk IT to release the security update — 26.5.2 should not sit in a 30-day deferral window
Low storageFree several GB — iOS/macOS updates fail silently when disk space is tight
Beta enrolledSettings → General → Software Update → Beta Updates — you may already have fixes via the 26.6 beta; confirm with IT before switching channels

Bookmark Apple Security Updates for official release notes — not third-party download sites.

Vulnerability Breakdown

CategoryApprox. countExample impacts
WebKit / WebRTC / Canvas31Safari crashes, memory corruption, sandbox escapes, clipboard leaks
Kernel / IOGPUFamily6Unexpected termination, kernel memory write or corruption
libxslt / Web ExtensionsIncluded aboveParser and extension-surface bugs
Unique CVEs (ZDI tally)37Across iOS, macOS Tahoe, Safari
AI-discovered WebKit bugs4CVE-2026-43707, 43715, 43716, 43745

Apple states no evidence of active exploitation for the patched issues at release — but several WebKit bugs had been public for weeks, widening the window for targeted attacks against unpatched Macs and iPhones.

Notable CVEs

CVEComponentImpact
CVE-2026-43701WebKitMalicious site may process restricted web content outside the sandbox
CVE-2026-43724KernelApp may cause termination or write kernel memory
CVE-2026-39868KernelUnexpected termination or kernel memory corruption
CVE-2026-43743IOGPUFamilyApp may cause unexpected system termination
CVE-2026-43707WebKitMemory corruption → process crash (AI-discovered)
CVE-2026-43715WebKitUse-after-free → memory corruption (AI-discovered)
CVE-2026-43745WebKitOut-of-bounds write → Safari crash (AI-discovered)

Most remaining WebKit entries are crash/DoS-class bugs triggered by malicious pages — still urgent for firms whose staff live in Safari, iCloud web apps, and WebKit-embedded views.

Illustration: MacBook and iPhone showing Safari security update available notification with WebKit engine diagram overlay

Why “Public for a While” Matters

ScenarioBusiness risk
Attorney iPhone on 26.5.1Visiting a crafted filing-portal or discovery link can crash Safari or corrupt renderer memory
Executive MacBook delaying updatesKernel-class bugs (CVE-2026-43724) raise stakes beyond browser tabs
MDM deferring security-only releases26.5.2 is not a feature upgrade — deferral buys little, risk buys a lot
WebKit in non-Safari appsMail previews, embedded browsers, and PWAs inherit the same engine

Pair this patch cycle with Chrome 150’s 382-fix releaseboth major browser engines patched the same week.

Illustration: security researcher using AI tools to analyze WebKit source code on dual monitors in a modern SOC

Independent Domain Security Audits — July 8, 2026

We scanned Apple domains users trust for update guidance. 100% is the ideal score for domain security.

OrganizationDomainOverallIdentityTransportWebsiteRisk
Apple Inc.apple.com70%50%15%100%Good
Apple Supportsupport.apple.com52%0%45%100%Average
WebKit projectwebkit.org70%90%15%45%Good

Key findings:

  • apple.com scores 100% Website Security but only 15% Transport — strong public web headers do not automatically mean hardened SMTP transport for security-announcement email.
  • support.apple.com0% Identity on our probe; users should bookmark official support URLs rather than trusting search-result links after security news cycles.
  • webkit.org90% Identity but 45% Website and 15% Transport; open-source project sites are still phishing targets during patch urgency.

Audit links:

Priority Actions

  1. Install iOS/iPadOS 26.5.2 and macOS Tahoe 26.5.2 on every managed Apple device immediately.
  2. Update Safari 26.5.2 on macOS Sequoia and Sonoma even if you are not on Tahoe yet.
  3. Verify MDM compliance — security-only releases should not sit in a 30-day deferral window.
  4. Retest critical web apps in Safari after patching; WebKit changes can affect legacy portals.
  5. Document patch status for cyber insurance renewals alongside endpoint baseline controls.

See How to Update Your Mac, iPhone, and iPad above for step-by-step instructions.


Sources: Apple — macOS Tahoe 26.5.2 · TidBITS · Zero Day Initiative · Security Affairs · Cybernoz