Apple’s security year so far has been anything but quiet.
The company’s 2026 security cycle has been dominated by a steady stream of updates across iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari, with most major platforms now on versions 26.5 or later. Below is a breakdown of the company’s key security events so far this year.
Apple’s first zero-day of 2026
One of the most significant security events of the year came in February, when Apple disclosed CVE-2026-20700, a vulnerability affecting a core operating system component known as dyld.
The flaw could allow attackers to execute malicious code on vulnerable devices. Apple warned that it had been used in what the company described as “extremely sophisticated” attacks against specific individuals.
The issue affected iPhones, iPads, Macs, Apple Watches, Apple TVs, and Vision Pro devices before Apple released patches through iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3.
According to Apple’s advisory, “An attacker with memory write capability may be able to execute arbitrary code.” Researchers noted that the vulnerability was linked to two previously patched WebKit flaws, CVE-2025-14174 and CVE-2025-43529, which had also been used in targeted attacks.
WebKit bugs put iPhones at risk
The year began with Apple addressing those two WebKit vulnerabilities (CVE-2025-14174 and CVE-2025-43529), which security researchers said could allow attackers to gain deep access to affected devices simply by exploiting flaws in Safari’s web-rendering engine.
Vulnerabilities could be used to execute malicious code through compromised webpages, potentially exposing sensitive information such as passwords and financial data.
The bugs affected millions of iPhones and iPads before Apple released fixes through iOS 26.2 and related updates for older supported devices. Security experts emphasized that users did not necessarily need to click anything for an attack to succeed, making the flaws particularly concerning.
DarkSword: The iPhone exploit kit anyone could copy-paste
The single biggest Apple security story of the year so far broke in mid-March, when three cybersecurity firms — iVerify, Lookout, and Google’s Threat Intelligence Group — published coordinated findings about an exploit kit they named DarkSword.
What made DarkSword remarkable wasn’t just what it could do. It was how casually it had been left lying around. Researchers found it sitting openly on compromised Ukrainian websites, fully annotated, logically organized, and so neatly documented that stealing the whole thing and pointing it at someone else’s server would take little more than a copy-and-paste.
The kit had been found on two specific Ukrainian sites: a news outlet and an official government court website. Any visitor on an unpatched iPhone running iOS 18.4 through 18.6.2 would have been silently compromised the moment the page loaded.
The attack framework used a “watering hole” technique, stealthily targeting visitors who loaded infected pages. Researchers said vulnerable iPhones could be compromised simply by visiting a hacked website.
Once active, DarkSword could access a wide range of information, including messages, passwords, browser history, photos, notes, emails, and cryptocurrency wallet data. Researchers also found traces of the tool in attacks across Ukraine, Saudi Arabia, Turkey, and Malaysia.
The discovery raised alarms because security researchers estimated that between roughly 221 million and 270 million iPhones could still be vulnerable due to users running older software versions. Apple later released additional protections, including rare backported security updates for users who remained on iOS 18 rather than upgrading to iOS 26.
A new way to patch security problems
March brought a major shift in how Apple distributes security fixes. The company introduced its first public Background Security Improvement, a system designed to deliver smaller security updates automatically between major operating system releases.
The initial rollout focused on CVE-2026-20643, a WebKit vulnerability discovered by researcher Thomas Espach. According to Apple, the flaw meant that “Processing maliciously crafted web content may bypass Same Origin Policy.”
The vulnerability could potentially allow malicious websites to access information belonging to other websites by bypassing browser isolation protections. Unlike traditional software updates, the new system installs security fixes quietly in the background without requiring users to perform a full operating system update.
Apple explained that “Background Security Improvements deliver lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries that benefit from smaller, ongoing security patches between software updates.”
The feature effectively replaces Apple’s earlier Rapid Security Response mechanism and signals a move toward more continuous security maintenance.
Macs faced their own privacy threat
Apple’s mobile platforms were not the only targets. In January, researchers disclosed CVE-2025-43530, a macOS vulnerability that allowed attackers to bypass Apple’s Transparency, Consent, and Control (TCC) framework, which governs access to sensitive resources.
According to security researcher Mickey Jin, attackers could abuse trusted Apple components to access files, microphone data, and other protected information without triggering user consent prompts.
Jin said an attacker “can execute arbitrary AppleScript files and send AppleEvents to any target process (such as Finder), thereby completely bypassing the TCC protection mechanism.”
The flaw highlighted how trusted system services can become attractive targets when attackers find ways to exploit implicit trust relationships within an operating system.
Massive spring cleanups
The sheer volume of vulnerabilities being discovered has kept Apple’s patch cycle moving at an unprecedented pace. In its mid-May security updates, the company published 11 new security advisories tackling dozens of vulnerabilities simultaneously.
The iOS and iPadOS 26.5 updates addressed more than 60 CVEs, including 20 distinct WebKit flaws that could cause sandboxed data leaks and device crashes. Meanwhile, macOS Tahoe 26.5 resolved nearly 80 vulnerabilities, closing flaws that allowed arbitrary code execution and root-level privilege escalation.
Then, on June 1, Apple issued iOS 26.5.1 and macOS Tahoe 26.5.1, both with “no published CVE entries,” to fix iPhone 17 charging issues and M5 Mac shutdown problems ahead of June 8 WWDC.
Protecting your Apple devices
With exploits becoming more readily available on the secondary market to financially motivated cybercriminals, security professionals stress that mobile endpoints must be treated with the same rigor as corporate servers. Apple and independent researchers recommend the following immediate actions to secure your hardware:
- Verify automated patches: Navigate to your device’s software update settings and ensure that both standard automatic updates and “Background Security Improvements” are toggled on. If turned off, background fixes are delayed until the next major OS bundle.
- Implement lockdown mode: For journalists, activists, or high-profile enterprise targets, enabling Apple’s native “Lockdown Mode” provides an aggressive shield against sophisticated web-based zero-click exploits.
- Establish a reboot routine: Because many modern, advanced toolkits like DarkSword operate purely in the device’s volatile memory to remain hidden, regularly restarting your phone or Mac will clear active fileless infections.
Also read: The FBI warned that Kali365 can hijack Microsoft 365 accounts by abusing device code authentication and capturing OAuth tokens.
