Apple Fixes Broad Set of iOS, macOS, and visionOS Vulnerabilities
Apple released a wide-ranging set of security updates across iOS, iPadOS, macOS Tahoe, watchOS, tvOS, visionOS, Safari, and Xcode, addressing more than 85 vulnerabilities across core components including the kernel, WebKit, AirPlay, Keychain, and open-source libraries. The updates fix issues that could enable traffic interception, kernel state disclosure, user fingerprinting, installed-app enumeration, Mail privacy bypasses, exposure of deleted Notes content, and crashes from out-of-bounds writes. Apple said it had no reports of in-the-wild exploitation for the vulnerabilities listed in the release notes, but urged users to update, with particular importance for older devices and managed macOS environments.
Among the patched flaws is CVE-2024-27828, a high-severity memory-handling bug in IOSurfaceRoot that could let a local app trigger a kernel panic or execute arbitrary code with kernel privileges. STAR Labs said the issue stemmed from a reference count leak in IOSurfaceRootUserClient::s_create_shared_event, where repeated calls with crafted input could corrupt memory handling; the flaw affected iOS and iPadOS before 17.5, tvOS before 17.5, watchOS before 10.5, and visionOS before 1.2. Apple addressed the bug through improved memory handling, adding it to a broader pattern of fixes spanning both current and legacy Apple platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
32 events from the most recent confirmed update back to the earliest known activity.
Apple releases Safari 26.5 for macOS with 11 security fixes
Apple released Safari 26.5 for macOS 15 Sequoia and macOS 14 Sonoma, addressing 11 security vulnerabilities that had previously been fixed in other recent updates. Apple said the flaws were not known to have been exploited in the wild.
Apple publishes tvOS 26.5 security advisory
Apple released tvOS 26.5 and published its security-content advisory for Apple TV HD and Apple TV 4K models. The update addressed numerous vulnerabilities across sandboxing, kernel memory protections, media parsing, web content handling, networking, and system stability, with credits to researchers including Google TAG, Google Project Zero, ZDI, and STAR Labs SG.
Apple publishes macOS Sonoma 14.8.7 security advisory
Apple published the security-content advisory for macOS Sonoma 14.8.7, detailing numerous fixes across kernel components, sandboxing, privacy controls, media parsing, networking, Gatekeeper, Mail Lockdown Mode, and user-consent protections. The update addressed risks including kernel-level code execution, privilege escalation, sandbox escape, denial of service, Gatekeeper bypass, and unauthorized access to sensitive user data.
Apple publishes iOS 18.7.7 and iPadOS 18.7.7 security update
Apple released iOS 18.7.7 and iPadOS 18.7.7 and published the corresponding security-content advisory. This was a distinct security update for the 18.x branch issued on the same day as Apple’s broader 26.5 release wave.
Apple publishes iOS 15.8.8 and iPadOS 15.8.8 security update
Apple released iOS 15.8.8 and iPadOS 15.8.8 and published the corresponding security-content advisory. This was a distinct security update for the 15.x branch issued on the same day as Apple’s broader 26.5 release wave.
Apple publishes iOS 18.7.3 and iPadOS 18.7.3 security update
Apple released iOS 18.7.3 and iPadOS 18.7.3 and published the corresponding security-content advisory. This was a separate security update for the 18.x branch issued the same day as Apple’s broader 26.5 release wave.
Apple releases iOS, macOS, and iPadOS 26.5 update wave
Apple shipped version 26.5 updates for iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and HomePod software, bundling multiple security fixes documented in its advisories. The releases also introduced beta support for end-to-end encrypted RCS messaging on a limited set of carriers, with broader rollout planned over time.
Apple publishes macOS Tahoe 26.4 security advisory
Apple published the security-content advisory for macOS Tahoe 26.4. This represents a distinct macOS security advisory not yet captured in the timeline, separate from the broader March 26, 2026 26.4 release wave and the May 11, 2026 26.5 update entries.
Apple releases broad security update wave fixing 85+ vulnerabilities
Apple released iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, watchOS 26.4, tvOS 26.4, visionOS 26.4, Safari 26.4, and Xcode 26.4, fixing more than 85 vulnerabilities across its product line. The reported issues included AirPlay, kernel, privacy, Keychain, WebKit, and legacy-device flaws, with no listed CVEs reported as exploited in the wild.
Apple publishes watchOS 26.3 security update
Apple released watchOS 26.3 and published its security-content advisory. This was a distinct Apple Watch security update issued on the same day as several other March 24, 2026 Apple advisories, ahead of the broader 26.4 release wave two days later.
Apple publishes visionOS 26.3 security update
Apple released visionOS 26.3 and published its security-content advisory. This was a distinct Vision Pro security update issued on the same day as other March 24, 2026 Apple releases, two days before the broader 26.4 update wave.
Apple publishes macOS Sequoia 15.7.4 security update
Apple released macOS Sequoia 15.7.4 and published the corresponding security-content advisory. This was a separate macOS security update issued on the same day as other March 24, 2026 Apple releases, ahead of the broader 26.4 update wave two days later.
Apple publishes macOS Tahoe 26.3 security update
Apple released macOS Tahoe 26.3 and published its security-content advisory. This was a distinct macOS security update issued two days before Apple’s broader 26.4 release wave.
Apple publishes macOS Sonoma 14.8.4 security update
Apple released macOS Sonoma 14.8.4 and published its security-content advisory. This was a distinct macOS security update issued two days before Apple’s broader 26.4 release wave.
Apple publishes tvOS 26.3 security update
Apple released tvOS 26.3 and published its security-content advisory. This was a distinct security update for Apple TV issued on the same day as the iOS/iPadOS 18.7.5 release, ahead of the broader 26.4 update wave two days later.
Apple publishes iOS 26.3 and iPadOS 26.3 security update
Apple released iOS 26.3 and iPadOS 26.3 and published the corresponding security-content advisory. This was a distinct security update for Apple’s current mobile platform branch issued on the same day as several other March 24, 2026 Apple advisories, ahead of the broader 26.4 release wave two days later.
Apple publishes iOS 18.7.5 and iPadOS 18.7.5 security update
Apple released iOS 18.7.5 and iPadOS 18.7.5 and published the corresponding security-content advisory. The update represents a distinct security release for the 18.x branch ahead of the broader 26.4 update wave later that week.
Apple publishes iOS 15.8.7 and iPadOS 15.8.7 security update
Apple released iOS 15.8.7 and iPadOS 15.8.7 and published the corresponding security-content advisory. This was a distinct security update for the 15.x branch issued alongside other Apple advisories on March 11, 2026.
Apple publishes macOS Sonoma 14.2 security advisory
Apple published the security-content advisory for macOS Sonoma 14.2. This represents a distinct macOS security update issued on the same day as other March 11, 2026 Apple advisories and before the March 24 and March 26 release waves.
Apple publishes iOS 16.7.15 and iPadOS 16.7.15 security update
Apple released iOS 16.7.15 and iPadOS 16.7.15 and published the corresponding security-content advisory. This was a distinct security update for the 16.x branch issued between the February 2026 update cycle and the later March 24 and March 26 release waves.
Apple publishes Safari 17.2 security advisory
Apple published the security-content advisory for Safari 17.2. This represents a distinct Safari security update not already captured in the timeline between the February 2026 Safari 26.3 release and the later May 2026 Safari 26.5 update.
Apple publishes Safari 26.3 security update
Apple released Safari 26.3 and published its security-content advisory. The update represents a distinct Safari security release preceding the broader 26.4 update wave later in March 2026.
Apple publishes tvOS 26.2 security update
Apple released tvOS 26.2 and published its security-content advisory. This was a distinct Apple TV security update issued before the later tvOS 26.3 and broader 26.4 release wave.
Apple publishes watchOS 26.2 security update
Apple released watchOS 26.2 and published its security-content advisory. This was a distinct Apple Watch security update issued alongside other February 11, 2026 platform advisories before the broader March 2026 26.4 release wave.
Apple publishes visionOS 26.2 security update
Apple released visionOS 26.2 and published its security-content advisory. This was a distinct security update for Vision Pro preceding Apple’s broader March 2026 26.4 update wave.
Apple publishes macOS Tahoe 26 security advisory
Apple published the security-content advisory for macOS Tahoe 26. This was a distinct macOS security release preceding the later February, March, and May 2026 Apple update waves already captured in the timeline.
Apple publishes Safari 26.2 security advisory
Apple published the security-content advisory for Safari 26.2. This was a distinct Safari security update issued before the later Safari 26.3 and Safari 17.2 advisories already captured in the timeline.
Apple credits Google Big Sleep for two WebKit flaws in iOS/iPadOS 26.2
Apple’s security advisory for iOS 26.2 and iPadOS 26.2 listed two WebKit vulnerabilities credited to Google Big Sleep: CVE-2025-43535, which could cause a crafted webpage to crash a process, and CVE-2025-46299, which could disclose internal application states. The advisory entry for CVE-2025-46299 was added on 2026-01-09, showing continued upstream recognition of Big Sleep in Apple security fixes.
Apple publishes macOS Ventura 13.5 security advisory
Apple published the security-content advisory for macOS Ventura 13.5. This represents a distinct macOS security update not already captured in the timeline, preceding the January 2026 Apple advisory entries.
Apple publishes macOS Sonoma 14.5 security advisory
Apple published the security-content advisory for macOS Sonoma 14.5. This represents a distinct macOS security update not already captured in the timeline, preceding the later Ventura and Sonoma advisory entries already listed.
STAR Labs publishes technical advisory for CVE-2024-27828
STAR Labs disclosed technical details for CVE-2024-27828, explaining that repeated calls to IOSurfaceRootUserClient::s_create_shared_event could cause a reference count leak leading to kernel panic or kernel-level code execution. The advisory credited Pan Zhenpeng with discovering the flaw.
Apple fixes CVE-2024-27828 in multiple operating systems
Apple addressed CVE-2024-27828, a high-severity IOSurfaceRoot memory handling flaw, in iOS/iPadOS 17.5, tvOS 17.5, watchOS 10.5, and visionOS 1.2. The vulnerability could allow a local app to trigger a kernel panic or execute arbitrary code with kernel privileges.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
Safari 26.5 - TidBITS
tidbits.com
Open sourceAbout the security content of Safari 26.5 - Apple Support
support.apple.com
Open sourceZero Day Initiative - The Apple macOS Security Update Review
thezdi.com
Open sourceKernel Vulns Uncovered by Xint in MacOS, iOS and iPadOS - Xint
xint.io
Open sourceAbout the security content of iOS 26.3 and iPadOS 26.3 - Apple Support
support.apple.com
Open sourceAbout the security content of macOS Tahoe 26.3 - Apple Support
support.apple.com
Open sourceAbout the security content of macOS Sonoma 14.8.4 - Apple Support
support.apple.com
Open sourceAbout the security content of iOS 15.8.7 and iPadOS 15.8.7 - Apple Support
support.apple.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple security updates addressing actively exploited iOS and macOS vulnerabilities
Apple published multiple security advisories across iOS/iPadOS, macOS, and watchOS releases that include fixes for vulnerabilities reported as **actively exploited** in the wild. Notable exploited issues include iOS/iPadOS 15.6.1 fixes for **kernel** and **WebKit** out-of-bounds writes enabling arbitrary code execution (`CVE-2022-32894`, `CVE-2022-32893`), iOS/iPadOS 16.3.1’s exploited **WebKit** type confusion leading to code execution (`CVE-2023-23529`), and iOS/iPadOS 15.7.5 plus macOS Big Sur 11.7.6 addressing an **IOSurfaceAccelerator** out-of-bounds write that could yield kernel-level code execution (`CVE-2023-28206`) alongside an exploited **WebKit** use-after-free (`CVE-2023-28205`). Apple also shipped iOS/iPadOS 16.6.1 and macOS Ventura 13.5.2 updates to remediate an exploited **ImageIO** buffer overflow (`CVE-2023-41064`) and an exploited **Wallet** attachment validation issue that could allow code execution (`CVE-2023-41061`). Separately, Apple’s iOS 17.0.1 and watchOS 9.6.3 advisories describe two vulnerabilities (`CVE-2023-41991`, `CVE-2023-41992`) reported by **Citizen Lab** and Google’s **Threat Analysis Group** as exploited against versions prior to iOS 16.7, involving **signature validation bypass** and **local privilege escalation**. Other referenced advisories (e.g., iOS/iPadOS 16.7, iOS/iPadOS 17.2, iOS/iPadOS 18.1, iOS/iPadOS 18.3, macOS Sequoia 15.1, iOS/iPadOS 26.1, macOS Tahoe 26.1, iOS/iPadOS 26.2) primarily enumerate additional CVEs and privacy/logic/memory-safety fixes but do not clearly tie to the same specific exploited-vulnerability disclosures, indicating they are broader platform security bulletins rather than part of a single incident response.
Mar 21, 2026
Apple Security Updates Address Multiple Vulnerabilities Including an In-the-Wild Exploited Memory Corruption Flaw
Apple issued security updates across its ecosystem to address **multiple vulnerabilities** affecting *iOS, iPadOS, macOS, tvOS, watchOS,* and *visionOS*, with impacts including **remote code execution (RCE)**, denial of service, elevation of privilege, information disclosure, data manipulation, and security restriction bypass. HKCERT highlighted **CVE-2026-20700** as a **high-risk** issue and noted it is **being exploited in the wild**; the flaw is described as an **improper restriction of operations within the bounds of a memory buffer** that could allow arbitrary code execution when an attacker has memory-write capability. Apple’s iOS 26.3 and iPadOS 26.3 security content includes fixes for issues that could expose sensitive information on a locked device (e.g., **CVE-2026-20645** and **CVE-2026-20674**) and a Bluetooth-related denial-of-service condition where a privileged network attacker could trigger DoS using crafted packets (**CVE-2026-20650**). The updates apply to **iPhone 11 and later** and a range of supported iPad models, and Apple reiterated its policy of publishing details after patches are available.
May 12, 2026
Apple Fixes Multiple Kernel, WebKit, and Data Exposure Flaws in iOS, iPadOS, and watchOS
Apple released security updates for **iOS 18.7.7**, **iPadOS 18.7.7**, and **watchOS 26.4** to address a wide range of vulnerabilities affecting supported iPhones, iPads, and Apple Watch Series 6 and later. The patches cover core components including **Kernel**, **WebKit**, **Security**, **CoreMedia**, **CoreUtils**, **Audio**, **802.1X**, and **UIFoundation**, with Apple warning that successful exploitation could enable network traffic interception, denial of service, unauthorized access to sensitive data, installed-app enumeration, Keychain access, kernel memory disclosure, and in some cases kernel memory write or Activation Lock bypass.
Apr 1, 2026