Apple Patches Over 30 Flaws, Including AI-Discovered WebKit Vulnerabilities
Apple has released security updates for iOS, macOS, and Safari, addressing more than 30 vulnerabilities, with four in WebKit identified using AI tools.
Apple has issued significant security updates for its core operating systems and web browser, patching over three dozen vulnerabilities across iOS, macOS, and Safari. Notably, four of these flaws reside within the WebKit engine, the same component powering Safari, and were discovered through the application of advanced artificial intelligence tools.
The AI-driven discoveries include CVE-2026-43707, a memory corruption vulnerability that could lead to unexpected process crashes when encountering specially crafted web content. This issue has been mitigated by Apple through improved memory handling. Similarly, CVE-2026-43716 addresses an unspecified WebKit vulnerability causing Safari crashes, also resolved with enhanced memory handling. Another vulnerability, CVE-2026-43745, an out-of-bounds write, could also trigger Safari crashes and was fixed with better input validation. Finally, CVE-2026-43715, a use-after-free vulnerability, which could result in memory corruption, was addressed through improved memory management.
Researchers from OpenAI Codex Security are credited with identifying the first three of these WebKit vulnerabilities. Meanwhile, Anthropic researchers Milad Nasr and Nicholas Carlini, in conjunction with Anthropic's Claude AI, were acknowledged for their discovery of CVE-2026-43715. These AI-assisted findings represent a growing trend where artificial intelligence is being leveraged not only by defenders but also by attackers to uncover software weaknesses.
Beyond the AI-identified flaws, the WebKit engine, which is open-source, saw fixes for nearly 30 other vulnerabilities. These include CVE-2026-43720, a use-after-free issue within WebKit Canvas, and CVE-2026-43725, which could allow a malicious website to bypass sandbox restrictions and access restricted web content. Apple also addressed three critical kernel-related vulnerabilities: CVE-2026-43722, CVE-2026-43724, and CVE-2026-39868, which could enable sensitive kernel state leakage, unexpected system termination, or kernel memory corruption. Security researcher Hyunwoo Kim was recognized for discovering two of these kernel flaws.
The security updates are available for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2. Apple has stated that none of the patched vulnerabilities have been reported as actively exploited in the wild, a common practice for vendors to reassure users about the immediate threat landscape.
In a notable shift in its security strategy, Apple indicated that these updates are being released earlier than usual. This proactive approach is a direct response to concerns that AI tools could significantly accelerate the development of exploit code, thereby shrinking the time window between vulnerability discovery and potential weaponization. The company is adapting to the evolving threat landscape where AI can expedite malicious tool creation.
Apple's statement, shared with Reuters, emphasized the need to reduce the time lag between when security updates are publicly announced and when they are successfully deployed to customers' devices. This strategic adjustment reflects a broader industry recognition of AI's dual-use potential in cybersecurity, necessitating faster patching cycles to stay ahead of rapidly evolving threats.
The integration of AI in vulnerability discovery, as highlighted by these Apple patches, signals a new era in cybersecurity. While AI offers powerful tools for defense, it also presents new challenges as threat actors can potentially leverage similar technologies for offensive purposes. Apple's accelerated patching cadence is a clear indicator of the industry's response to this evolving dynamic.
Apple has released security updates for iOS, iPadOS, macOS, and Safari, patching a total of 23 vulnerabilities. While the previous report highlighted four AI-discovered WebKit flaws, this update addresses a broader range, including three kernel vulnerabilities and one in IOGPUFamily, none of which are reported as actively exploited. The majority of the patched issues affect WebKit, libxslt, WebRTC, and Web Extensions, with potential impacts ranging from unexpected crashes to memory corruption and sensitive data disclosure.