Apple released updates for iOS/iPadOS, macOS, and Safari on Monday. There have been no updates for other Apple operating systems (visionOS, watchOS, tvOS). Usually, Apple updates all products at the same time.

Most of the vulnerabilities affect the web browser (WebKit, libxslt, WebRTC, and Web Extension). Only four of the vulnerabilities are not directly related to web content: Three Kernel issues and one vulnerability in the IOGPUFamily.

None of the vulnerabilities is labeled as "exploited".

 

iOS 26.5.2 and iPadOS 26.5.2 macOS Tahoe 26.5.2 Safari 26.5.2
CVE-2026-39868: An app may be able to cause unexpected system termination or corrupt kernel memory.
Affects Kernel
x x  
CVE-2026-43676: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x x x
CVE-2026-43700: Processing maliciously crafted web content may disclose sensitive user information.
Affects WebKit
x x x
CVE-2026-43701: A malicious website may be able to process restricted web content outside the sandbox.
Affects WebKit
x x x
CVE-2026-43703: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects libxslt
x x  
CVE-2026-43704: A malicious web extension may be able to cause an unexpected process crash.
Affects Web Extensions
x x x
CVE-2026-43705: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x x x
CVE-2026-43706: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects libxslt
x x  
CVE-2026-43707: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x x x
CVE-2026-43708: A malicious website may exfiltrate data cross-origin.
Affects WebKit
x x x
CVE-2026-43712: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x x x
CVE-2026-43713: Visiting a website may leak sensitive data.
Affects WebKit
x x x
CVE-2026-43715: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x x x
CVE-2026-43716: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x x x
CVE-2026-43718: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebRTC
x x x
CVE-2026-43720: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit Canvas
x x x
CVE-2026-43721: A malicious website may be able to silently hijack clipboard data.
Affects WebKit Storage
x x x
CVE-2026-43722: An app may be able to leak sensitive kernel state.
Affects Kernel
x x  
CVE-2026-43724: An app may be able to cause unexpected system termination or write kernel memory.
Affects Kernel
x x  
CVE-2026-43725: A malicious website may be able to process restricted web content outside the sandbox.
Affects WebKit
x x x
CVE-2026-43727: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x x x
CVE-2026-43732: Processing maliciously crafted web content may disclose sensitive user information.
Affects WebKit
x x x
CVE-2026-43735: A malicious website may exfiltrate data cross-origin.
Affects WebKit
x x x
CVE-2026-43740: Processing maliciously crafted web content may result in the disclosure of process memory.
Affects WebKit
x x x
CVE-2026-43742: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x x x
CVE-2026-43743: An app may be able to cause unexpected system termination.
Affects IOGPUFamily
x x  
CVE-2026-43745: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x x x
CVE-2026-43746: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebRTC
x x x

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.