Apple iOS 26.2: What has been fixed in the latest security update

Apple has revealed a significant number of security vulnerabilities impacting its newer iPhone and iPad models. The company has cautioned users that some of these weaknesses could potentially lead to unauthorized access to sensitive data, device crashes, or in extreme cases, a complete system takeover. This information was made available on Apple's support page as part of the newest security update released on Friday. The vulnerabilities affect devices including the iPhone 11 and later models, along with various iPad lines, such as the third-generation iPad Pro, the third-generation iPad Air, the eighth-generation iPad, and the fifth-generation iPad mini. One notable issue involved the App Store, where a permissions oversight allowed an app to access sensitive payment tokens. Apple has rectified this by reinforcing restrictions within the system. Additionally, similar permissions and logging vulnerabilities were identified and addressed in various system components, including Icons, Messages, Media Experience, Screen Time, Telephony, and Photos. In certain instances, apps could have gained access to private user data, Safari browsing history, or details about other installed applications. Apple also tackled a critical flaw in the kernel that could have permitted a malicious app to acquire root privileges, stemming from an integer overflow issue. This has been fixed by transitioning to 64-bit timestamps. Other fundamental components like Foundation, Multi-Touch, libarchive, and AppleJPEG contained memory corruption vulnerabilities that could lead to app crashes or erratic behavior when dealing with harmful data or files. A considerable number of the vulnerabilities were linked to FaceTime and the Calling Framework, where issues could expose password fields during remote device control sessions, and there was also a risk of FaceTime caller ID spoofing. Apple has indicated that enhanced state management has resolved these concerns. Moreover, many of the disclosed vulnerabilities were associated with WebKit, the browser engine utilized by Safari. Apple warned that maliciously designed web content could lead to crashes, memory corruption, or, in severe cases, arbitrary code execution. The company acknowledged reports indicating that at least two WebKit vulnerabilities were potentially exploited in “highly sophisticated” targeted attacks against specific users on earlier versions of iOS, prior to the rollout of iOS 26. These issues have since been patched. Some vulnerabilities stemmed from open-source software utilized by Apple, including curl and libarchive. Apple confirmed that these vulnerabilities received CVE identifiers from third-party sources and that its software was among the impacted projects. While Apple has not suggested that most of the vulnerabilities were exploited on a large scale, it strongly advises users to update their devices to the latest software versions to safeguard against these identified flaws.