.png){kind=logo}
Apple has released the iOS 26.2 security update to fix weaknesses on iPhone and iPad. The company published security notes on its support site and urged users to install the update soon. Apple said it saw no evidence of broad abuse, yet it confirmed that a few flaws appeared in highly targeted attacks on older iOS versions.
The iOS 26.2 update supports iPhone 11 and newer devices. It also covers iPad Pro from the third generation onward. It covers iPad Air from the third generation, iPad from the eighth generation, and iPad mini from the fifth generation. These models run current iOS and iPadOS features, so the patch reaches a large installed base.
Apple said the flaws appeared in several parts of iOS. Some affected built-in apps, while others involved background services and core system frameworks. Apple also noted that certain bugs could cause crashes or unstable behavior when a device processed malformed data. Apple grouped the fixes into one release to reduce exposure across the platform.
Apple addressed a permissions flaw tied to the App Store. Before the fix, an app could, in specific conditions, access sensitive payment tokens. Apple tightened access controls to block that path and to enforce stronger restrictions on related requests.
The update also corrected privacy and logging issues in several components. Apple cited fixes for Messages, Photos, Screen Time, Telephony, MediaExperience, and Icons. In some scenarios, a malicious app could learn Safari history or details about other installed apps. The patch now limits data access and improves separation between apps and system resources.
Apple also addressed a kernel issue that could enable privilege escalation. Apple traced the problem to an integer overflow condition. The company mitigated the risk by moving affected time handling to 64-bit timestamps, which helps prevent similar overflow errors.
Also Read: Hidden iOS 19 Prototype Leaks Major Clues About Apple’s iOS 27 Plans
Many fixes in iOS 26.2 focus on WebKit, the browser engine that powers Safari. Apple said crafted web content could cause memory corruption, crashes, or code execution. Apple also acknowledged reports that at least two WebKit flaws played a role in sophisticated, targeted attacks before iOS 26. The update patches those weaknesses.
Apple also shipped fixes for FaceTime and the Calling Framework. The release prevents password field exposure during some remote device control sessions and blocks FaceTime caller ID spoofing attempts. Apple improved state handling to reduce the chance of these events.
Apple recommends routine update habits across iPhone and iPad. Users can enable updates, review app permissions, and install apps from trusted sources. They can also stay cautious with links and attachments, since browsers and file parsers often process attacker-controlled content.
