Apple released iOS 26.1 and iPadOS 26.1 with a wide set of security fixes. The update closes issues across Apple Account, Photos, Safari, WebKit, Siri, and more. Apple also posted matching security notes for macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, and watchOS 26.1. Update now if you have not already.
The iOS and iPadOS patches address problems like a bug that lets attackers disable Stolen Device Protection, keystroke monitoring through WebKit, and lock screen exposures. Apple lists about 50 entries with CVE IDs and component names.
Apple says these releases are available for iPhone 11 and later, and a wide set of recent iPad models. The company recommends all users install security updates as soon as possible.
To update, open Settings, tap General, then Software Update. Download and install.
These fixes stop data leaks, block sandbox escapes, and protect lock screen privacy. WebKit changes harden Safari against crashes, spoofing, and memory bugs that can lead to data theft or code execution. The Stolen Device Protection fix matters if someone gains physical access to your iPhone.
Supported devices
- iOS 26.1: iPhone 11 and later
- iPadOS 26.1: iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, iPad mini 5th generation and later
Full security fix list from Apple
Accessibility
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to identify what other apps a user has installed
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-43442: Zhongcheng Li from IES Red Team of ByteDance
Apple Account
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious app may be able to take a screenshot of sensitive information in embedded views
Description: A privacy issue was addressed with improved checks.
CVE-2025-43455: Ron Masas of BreakPoint.SH, Pinak Oza
Apple Neural Engine
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to cause unexpected system termination or corrupt kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2025-43447: an anonymous researcher
CVE-2025-43462: an anonymous researcherApple TV Remote
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious app may be able to track users between installs
Description: The issue was addressed with improved handling of caches.
CVE-2025-43449: Rosyna Keller of Totally Not Malicious Software
AppleMobileFileIntegrity
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access protected user data
Description: This issue was addressed with improved validation of symlinks.
CVE-2025-43379: Gergely Kalman (@gergely_kalman)
Assets
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved entitlements.
CVE-2025-43407: JZ
Audio
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker with physical access to an unlocked device paired with a Mac may view sensitive user information in system logging
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43423: Duy Trần (@khanhduytran0)
Camera
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may learn information about the current camera view before it has camera access
Description: A logic issue was addressed with improved checks.
CVE-2025-43450: Dennis Briner
CloudKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to break out of its sandbox
Description: This issue was addressed with improved validation of symlinks.
CVE-2025-43448: Hikerell (Loadshine Lab)
Contacts
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43426: Wojciech Regula of SecuRing (wojciechregula.blog)
Control Center
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker may view restricted content from the lock screen
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-43350: Lukaah Marlowe
CoreServices
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may enumerate a user’s installed apps
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-43436: Zhongcheng Li from IES Red Team of ByteDance
CoreText
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2025-43445: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
FileProvider
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may access sensitive user data
Description: An authorization issue was addressed with improved state management.
CVE-2025-43498: pattern-f (@pattern_F_)
Find My
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may fingerprint the user
Description: A privacy issue was addressed by moving sensitive data.
CVE-2025-43507: iisBuri
Installer
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may fingerprint the user
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-43444: Zhongcheng Li from IES Red Team of ByteDance
Kernel
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may cause unexpected system termination
Description: The issue was addressed with improved memory handling.
CVE-2025-43398: Cristian Dinca (icmd.tech)
libxpc
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A sandboxed app may observe system wide network connections
Description: An access issue was addressed with additional sandbox restrictions.
CVE-2025-43413: Dave G. and Alex Radocea of supernetworks.org
Mail Drafts
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Remote content may load even when the Load Remote Images setting is off
Description: The issue was addressed by adding additional logic.
CVE-2025-43496: Romain Lebesle, Himanshu Bharti @Xpl0itme From Khatima
MallocStackLogging
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may access sensitive user data
Description: An issue existed in the handling of environment variables. It was addressed with improved validation.
CVE-2025-43294: Gergely Kalman (@gergely_kalman)
Model I/O
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory
Description: An out of bounds access issue was addressed with improved bounds checking.
CVE-2025-43386: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
CVE-2025-43385: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
CVE-2025-43384: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative
CVE-2025-43383: Michael DePlante (@izobashi) of Trend Micro Zero Day InitiativeMulti-Touch
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious HID device may cause an unexpected process crash
Description: The issue was addressed with improved bounds checks.
CVE-2025-43424: Google Threat Analysis Group
Notes
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may access sensitive user data
Description: A privacy issue was addressed by removing the vulnerable code.
CVE-2025-43389: Kirin (@Pwnrin)
On-device Intelligence
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may fingerprint the user
Description: A privacy issue was addressed by removing sensitive data.
CVE-2025-43439: Zhongcheng Li from IES Red Team of ByteDance
Photos
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may access sensitive user data
Description: A privacy issue was addressed with improved handling of temporary files.
CVE-2025-43391: Asaf Cohen
Safari
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed with improved checks.
CVE-2025-43493: @RenwaX23
Safari
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Visiting a malicious website may lead to user interface spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2025-43503: @RenwaX23
Safari
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may bypass certain Privacy preferences
Description: A privacy issue was addressed by removing sensitive data.
CVE-2025-43502: an anonymous researcher
Sandbox Profiles
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may access sensitive user data
Description: A privacy issue was addressed with improved handling of user preferences.
CVE-2025-43500: Stanislav Jelezoglo
Siri
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A device may persistently fail to lock
Description: This issue was addressed through improved state management.
CVE-2025-43454: Joshua Thomas
Status Bar
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker with physical access to a locked device may view sensitive user information
Description: A logic issue was addressed with improved checks.
CVE-2025-43460: Isaiah Wan
Stolen Device Protection
Available for: iPhone 11 and later
Impact: An attacker with physical access to a device may disable Stolen Device Protection
Description: The issue was addressed by adding additional logic.
CVE-2025-43422: Will Caine
Text Input
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Keyboard suggestions may display sensitive information on the lock screen
Description: This issue was addressed by restricting options offered on a locked device.
CVE-2025-43452: Thomas Salomon, Sufiyan Gouri (TU Darmstadt), Phil Scott (@MrPeriPeri) & Richard Hyunho Im (@richeeta), Mark Bowers, Joey Hewitt, Dylan Rollins, Arthur Baudoin, an anonymous researcher, Andr.Ess
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious website may exfiltrate data cross origin
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 276208
CVE-2025-43480: Aleksejs PopovsWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 296693
CVE-2025-43458: Phil Beauvoir
WebKit Bugzilla: 298196
CVE-2025-43430: Google Big Sleep
WebKit Bugzilla: 298628
CVE-2025-43427: Gary Kwong, rheza (@ginggilBesel)WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: This issue was addressed with improved checks.
WebKit Bugzilla: 299843
CVE-2025-43443: an anonymous researcherWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 298496
CVE-2025-43441: rheza (@ginggilBesel)
WebKit Bugzilla: 299391
CVE-2025-43435: Justin Cohen of Google
WebKit Bugzilla: 298851
CVE-2025-43425: an anonymous researcherWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: This issue was addressed with improved checks.
WebKit Bugzilla: 298126
CVE-2025-43440: Nan Wang (@eternalsakura13)WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 297662
CVE-2025-43438: shandikri working with Trend Micro Zero Day Initiative
WebKit Bugzilla: 298606
CVE-2025-43457: Gary Kwong, Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
WebKit Bugzilla: 297958
CVE-2025-43434: Google Big SleepWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may monitor keystrokes without user permission
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 300095
CVE-2025-43495: Lehan Dilusha JayasingheWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 298093
CVE-2025-43433: Google Big Sleep
WebKit Bugzilla: 298194
CVE-2025-43431: Google Big SleepWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 299313
CVE-2025-43432: Hossein Lotfi (@hosselot) of Trend Micro Zero Day InitiativeWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A buffer overflow was addressed with improved bounds checking.
WebKit Bugzilla: 298232
CVE-2025-43429: Google Big SleepWebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: Multiple issues were addressed by disabling array allocation sinking.
WebKit Bugzilla: 300718
CVE-2025-43421: Nan Wang (@eternalsakura13)WebKit Canvas
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A website may exfiltrate image data cross origin
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 297566
CVE-2025-43392: Tom Van Goethem
How to update now
- Open Settings on your iPhone or iPad.
- Tap General.
- Tap Software Update.
- Download and install iOS 26.1 or iPadOS 26.1.
You can also review Apple’s security update notes and the full compatibility lists for iOS 26 and iPadOS 26 on Apple’s website.
Install iOS 26.1 or iPadOS 26.1 today. It protects your data and closes high value paths that attackers use.
