iOS, iPadOS, and macOS 26.5.2: Every Security Fix Explained
iOS 26.5.2 brings no new features, just close to 30 security fixes mostly in WebKit. Here's every fix in iOS, iPadOS, and macOS 26.5.2 explained.
iOS 26.5.2 brings no new features, just close to 30 security fixes mostly in WebKit. Here's every fix in iOS, iPadOS, and macOS 26.5.2 explained.
Apple released iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2 on June 29, 2026, just under a month after 26.5.1 patched the iPhone 17 charging issue and M5 Mac shutdown bug. There's no new feature to point to this time around. Apple's own release notes for all three updates say the same thing: "This update provides security fixes." That's it.
But "just security fixes" undersells what's actually patched. Apple's security content pages show close to 30 vulnerabilities addressed across the two updates, with the overwhelming majority concentrated in WebKit, the engine behind Safari and every other browser on iOS and iPadOS. A handful touch the kernel directly. None are flagged as actively exploited, but a few of the WebKit issues describe exactly the kind of cross-site data leaks and sandbox escapes that make browsing the riskiest thing most people do on their phone.
watchOS, tvOS, and visionOS did not receive a matching update and remain at version 26.5. This release is limited to iPhone, iPad, and Mac.
iOS 26.5.2 and iPadOS 26.5.2 (Build 23F84)
Apple's official security content page for iOS 26.5.2 and iPadOS 26.5.2 lists every CVE individually, including the researchers credited with finding each one, if you want to dig into the raw list yourself.
The WebKit fixes are the real headline
Most of what changed in this update lives inside WebKit. Apple's security notes describe a string of use-after-free and memory corruption bugs that could let a malicious webpage crash Safari or, in some cases, corrupt memory outright just by loading the page. None of that requires you to click anything. Simply visiting a compromised or booby-trapped site is enough to trigger several of these.
A few of the WebKit fixes are more concerning than a crash. One patches a cross-origin issue where a malicious website could pull data it has no business accessing from a different site you have open. Another fixes a bug in WebKit Storage that let a malicious site silently hijack your clipboard, meaning anything you'd copied could potentially be read without your knowledge. A separate fix closes a sandbox escape that would have let a website process restricted content outside the boundaries Safari normally enforces. Apple also patched a permissions issue that could leak sensitive data just by visiting a page.
None of this needs any action from you beyond installing the update. There's no setting to flip and no feature to turn on. The fix is the update itself.
Kernel and lower-level fixes
Below the browser layer, Apple patched four kernel-related issues and one in IOGPUFamily, the framework that manages communication with a device's graphics hardware. The impacts described range from apps being able to force an unexpected shutdown to, in two cases, an app writing to or leaking kernel memory it shouldn't have access to. These are lower-risk for the average person since they generally require a malicious app already running on the device, but they're still worth knowing about if you've ever sideloaded something questionable or installed a flagged app before Apple pulled it.
Rounding things out, Apple also patched two issues in libxslt (a library used to process certain kinds of web content), one in Web Extensions, and a handful in WebRTC, the technology that powers video calls and other real-time browser communication.
Should you install it now?
Yes. None of the patched issues are described as exploited in the wild, so there's no five-alarm reason to drop everything. But Apple's security notes say these fixes "were first made available in the iOS 26.6 and iPadOS 26.6 betas," meaning the details of what's wrong have effectively already been public knowledge inside the developer beta program for weeks. Once a fix is out, the clock starts on someone reverse-engineering the vulnerability it patches. Install it the normal way: Settings → General → Software Update.
macOS Tahoe 26.5.2 (Build 25F84)
macOS Tahoe 26.5.2 shipped the same day as the iOS and iPadOS update, carrying largely the same fix list since Mac, iPhone, and iPad share the same WebKit and kernel code in most places. Apple's security notes for the Mac update mirror the iOS list almost line for line: the same WebKit crashes and data leaks, the same kernel-level race condition, the same libxslt double-free bug.
This is a much quieter update than 26.5.1, which specifically targeted the shutdown problem affecting M5 Macs on restricted enterprise networks. 26.5.2 doesn't carry anything that specific. It's a straightforward security patch, and the install path is the same as always: System Settings → General → Software Update.
What about watchOS, tvOS, and visionOS?
They sit this one out. As of this release, watchOS, tvOS, and visionOS all remain on version 26.5, with no 26.5.2 counterpart, confirmed on Apple's security releases page. If you're on Apple Watch, Apple TV, or Vision Pro, there's nothing new to install right now.
Apple is still juggling two release tracks at once here. The 26.5.2 patch lands the same week as the third developer beta of iOS 26.6, which is shaping up to be a light maintenance release of its own ahead of iOS 27's public debut later this year. If you're testing the iOS 27 beta already, this update doesn't apply to you, since 26.5.2 only reaches devices still on the iOS 26 line.
iOS 26.5.2 and iPadOS 26.5.2 are available now on iPhone 11 and later and most iPad models from the past several years. macOS Tahoe 26.5.2 is available on any Mac currently running Tahoe. All three can be installed by checking for a software update in Settings or System Settings.
Did your update come through yet, and how big was the download on your device? Let us know in the comments.