VYPR
patchPublished May 11, 2026· Updated May 17, 2026· 1 source

Apple Patches 84 Vulnerabilities Across Entire Ecosystem

Apple has issued a sweeping set of security updates addressing 84 vulnerabilities across its entire product lineup, including critical kernel and privilege escalation flaws.

Apple has released a comprehensive suite of security updates addressing 84 distinct vulnerabilities across its entire ecosystem, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. The patches cover a wide range of components, from core kernel functions to application-level services, and are available for the latest "26" series of operating systems, as well as legacy support for iOS/iPadOS 18 and older macOS versions SANS Internet Storm Center.

The vulnerabilities addressed include several high-impact flaws that could allow attackers to bypass security boundaries or gain elevated privileges. Notably, CVE-2026-28819 allows an application to execute arbitrary code with kernel privileges via the Wi-Fi component, while CVE-2026-28840 and CVE-2026-28915 permit applications to gain root privileges through PackageKit and CUPS, respectively. Additionally, CVE-2025-43524 and CVE-2026-28923 describe sandbox escape vulnerabilities affecting Icons and GPU Drivers, which could allow malicious applications to break out of their restricted environments SANS Internet Storm Center.

The updates also mitigate numerous issues related to system stability and data privacy. Several vulnerabilities, such as CVE-2026-28848 (SMB) and CVE-2026-28872 (Calendar), could allow remote attackers to trigger denial-of-service conditions or unexpected system terminations. Privacy-focused flaws include CVE-2026-28870 and CVE-2026-28877, which could allow unauthorized access to sensitive user data via GeoServices and Accounts, and CVE-2026-28873, which allows an app to circumvent App Privacy Report logging SANS Internet Storm Center.

WebKit, a frequent target for security researchers, received multiple patches for vulnerabilities that could lead to process crashes or bypass security protections. For instance, CVE-2026-28907 addresses a flaw where maliciously crafted web content could prevent the enforcement of Content Security Policies. Furthermore, CVE-2026-28920 in zlib could allow sensitive data leakage when visiting a malicious website, and CVE-2026-28914 highlights a risk where a crafted ZIP archive could bypass Gatekeeper security checks SANS Internet Storm Center.

According to the SANS Internet Storm Center, none of these 84 vulnerabilities are currently known to have been exploited in the wild. Apple has provided these updates for a broad range of devices, including iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, tvOS 26.5, watchOS 26.5, and visionOS 26.5. Users are encouraged to apply these updates promptly to ensure their devices are protected against these potential attack vectors SANS Internet Storm Center.

This massive batch of patches reflects the ongoing challenge of maintaining security across a deeply integrated product line. By addressing vulnerabilities ranging from kernel-level memory corruption to application-specific privacy bypasses, Apple continues its pattern of periodic, large-scale security maintenance. The absence of active exploitation reports suggests that these fixes are proactive, though the diversity of the flaws underscores the necessity of maintaining updated software across all hardware platforms.

Synthesized by Vypr AI