If you haven’t updated your iPhone yet, a single bad web page could be enough to steal personal data right out of Safari. Apple released iOS 26.5 in late May 2026, and the patch notes are sobering: the update addresses dozens of security flaws, including multiple vulnerabilities in WebKit, the engine that renders every web page on every iPhone browser. Two of those flaws now have formal entries in the U.S. government’s National Vulnerability Database (NVD), and what they describe should make anyone still running an older version reach for their Settings app.
Two flaws the federal government has cataloged
The NVD, maintained by the National Institute of Standards and Technology (NIST), is the U.S. government’s official ledger of software security defects. Two entries tied to iOS 26.5 spell out the risk in plain terms.
CVE-2026-28962 is a WebKit flaw that allows “processing maliciously crafted web content” to “disclose sensitive user information.” Translation: an attacker who controls or compromises a website can serve a page that quietly siphons data from anyone who loads it on an unpatched device. No file download, no pop-up warning. Just visiting the page is enough.
CVE-2026-28942 is a use-after-free bug, a category of memory-safety error in which software tries to use a chunk of memory that has already been released. Think of it like a hotel handing out a key card to a room that has already been reassigned: the wrong guest walks in. In WebKit’s case, the result is at minimum an unexpected Safari crash, and at worst a foothold for an attacker to run code on the device. The NVD confirms this flaw spans iOS, iPadOS, macOS, tvOS, visionOS, watchOS, and Safari, meaning the same defective code runs on nearly every screen Apple sells.
Both entries reference Apple’s own security advisories, confirming the company acknowledged and patched the flaws.
Why WebKit makes this worse than it sounds
On most platforms, users can choose a browser with its own independent rendering engine. On iPhones and iPads, they can’t. Apple’s App Store rules require every browser to use WebKit under the hood. Chrome, Firefox, Brave, and every other alternative on iOS are essentially different dashboards bolted onto the same engine. When a vulnerability surfaces in WebKit, it doesn’t just affect Safari. It affects every browser on the device, period.
That architecture turns a single WebKit bug into a system-wide exposure. CVE-2026-28942’s cross-platform footprint drives the point home: the same rendering code runs on the Apple Watch, Apple TV, and Vision Pro headset. A flaw found once propagates everywhere.
What we don’t know yet
Early reporting on iOS 26.5 has cited more than 50 fixes overall, with roughly 10 tied to WebKit. Those figures trace back to summaries of Apple’s own security-content page for the release, which lists individual patches by component. The NVD records published so far, however, detail only the two CVEs described above. Until NIST finishes processing the remaining entries, the broader count cannot be independently verified through government sources alone.
Neither NVD entry includes language indicating the flaws were exploited in the wild before the patch shipped. That doesn’t rule out real-world attacks; it simply means no federal record currently confirms them. NIST also had not assigned severity scores (CVSS ratings) to either CVE at the time of publication, leaving enterprise security teams without a formal risk ranking for now.
Apple has not publicly disclosed how many devices have already installed the update, and the company’s staged rollout process means availability can vary slightly by region.
Which iPhones are covered
iOS 26 supports iPhone models from the iPhone SE (3rd generation) and iPhone XS forward, according to Apple’s compatibility list published at WWDC in June 2025. If your device received iOS 26, it should be eligible for the 26.5 patch. Users on older hardware that maxed out at iOS 18 or earlier will not receive this fix and should consider upgrading or limiting web browsing on those devices.
How to install iOS 26.5 and close the WebKit gap
Open Settings, tap General, then tap Software Update. If iOS 26.5 appears, tap Download and Install. The process typically takes 10 to 20 minutes depending on connection speed, and the phone will restart once during installation.
The two federally documented flaws require nothing more than a malicious web page to trigger. No suspicious link in a text message, no sideloaded app. Just a page load. That means the attack surface is as wide as the internet itself, and the gap between patch availability and patch installation is exactly the window attackers count on. Close it.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
