Apple released iOS 26.5 in late May 2026, and the update is not a routine feature refresh. It patches a wide range of security vulnerabilities, including a WebKit flaw tracked as CVE-2026-43660 that could let a malicious website bypass one of the browser’s core defenses and access sensitive user data. Government cybersecurity agencies in the United States and Hong Kong have both flagged the release, and Apple has extended fixes to older versions of iPadOS and other platforms.
If you own an iPhone and have not yet installed the update, here is what you need to know and why security researchers are treating this one as urgent.
The WebKit flaw at the center of the update
The vulnerability that has drawn the most attention involves Content Security Policy, or CSP. In simple terms, CSP is a set of rules your browser enforces to make sure a web page can only load scripts and resources from sources its developer explicitly trusts. It is one of the primary barriers that prevents an attacker from injecting malicious code into a legitimate site and then using that code to reach your data.
CVE-2026-43660 breaks that barrier. According to the National Vulnerability Database entry maintained by the U.S. National Institute of Standards and Technology, the flaw allows “malicious web content” to prevent Content Security Policy “from being enforced.” In practical terms, that means a compromised or attacker-controlled web page could load unauthorized scripts capable of grabbing session tokens, reading form inputs, or siphoning other sensitive information from within the browser.
Because Apple requires every browser on iOS to use WebKit as its rendering engine, the flaw is not limited to Safari. Chrome, Firefox, and any app that displays web content on an iPhone all rely on the same underlying code. A single unpatched vulnerability in WebKit ripples across the entire ecosystem.
What government agencies are saying
The National Institute of Standards and Technology has cataloged CVE-2026-43660 in its vulnerability database and linked it to broader risk-management frameworks that federal agencies use to prioritize patching. The presence of the flaw in those systems signals that U.S. government networks treat the WebKit bug as an operational risk, not a theoretical one.
Separately, Hong Kong’s Computer Emergency Response Team Coordination Centre published Security Alert A26-05-15, covering multiple vulnerabilities across Apple products. The advisory confirms that iOS 26.5 is part of a coordinated release that also patches flaws in legacy iOS and iPadOS versions, meaning older iPhones and iPads running earlier software branches received their own fixes in the same cycle.
When independent government teams in different jurisdictions highlight the same software update within the same window, it is a reliable indicator that the patch addresses issues of more than routine importance. Both agencies published their notices after Apple disclosed the vulnerabilities and shipped fixes, following the standard coordinated-disclosure process.
It is worth noting that the U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, had not published a dedicated advisory or Known Exploited Vulnerabilities catalog entry for CVE-2026-43660 at the time of this article’s publication. CISA typically issues its own alerts when it has evidence of active exploitation or when a vulnerability meets its threshold for mandatory federal patching. The absence of a CISA advisory does not diminish the severity of the flaw, but it does mean that, as of late May 2026, the agency has not publicly confirmed in-the-wild exploitation.
Apple’s own security release notes
Apple publishes detailed security release notes for every software update on its Apple security releases support page. These notes are the canonical primary source for the full list of patched vulnerabilities, including individual CVE identifiers, affected components, and brief technical descriptions. The NVD records and government CERT advisories discussed above draw from and cross-reference Apple’s own disclosures. Anyone seeking the definitive accounting of what iOS 26.5 fixes should consult Apple’s release notes directly.
How many vulnerabilities does iOS 26.5 actually fix?
The headline figure of more than 50 flaws, including 10 in WebKit, circulates widely in secondary coverage but does not appear in either the NVD record for CVE-2026-43660 or the GovCERT.HK advisory. Both sources confirm that iOS 26.5 patches multiple vulnerabilities without providing an aggregate tally. Apple’s own security release notes list individual CVEs, and the totals reported elsewhere likely come from counting every entry on that page. Until a definitive tally is confirmed, the precise figures should be treated as approximate.
What is not in dispute is the breadth of the update. The GovCERT.HK alert lists several Apple operating systems in a single bulletin, indicating that the security issues span iPhones, iPads, and potentially Macs and other Apple devices. That cross-platform scope is consistent with WebKit vulnerabilities, since the engine is shared across Apple’s product line.
Is anyone exploiting these flaws right now?
This is the question most users want answered, and the honest answer is that it is not publicly confirmed. The NVD entry for CVE-2026-43660 describes the technical mechanism but does not state whether the flaw has been exploited in active attacks. Apple sometimes tags vulnerabilities with language indicating awareness of exploitation “in the wild,” but that detail is absent from the government database records reviewed for this article. CISA has not added the flaw to its Known Exploited Vulnerabilities catalog as of late May 2026.
The absence of an “actively exploited” tag does not mean the risk is low. It may mean the information has not yet been published, that evidence of exploitation has not met the threshold for public disclosure, or that Apple is still investigating. CSP bypasses are valuable to attackers precisely because they can be triggered silently through normal web browsing, with no app installation or user interaction beyond loading a page.
“A Content Security Policy bypass in a universal rendering engine like WebKit is about as serious as browser vulnerabilities get,” said one independent security researcher who reviewed the NVD entry. “Every app on iOS that touches the web is affected, and the user does not have to do anything unusual to be exposed. They just have to visit the wrong page.” The researcher, who spoke on condition of anonymity because they were not authorized to comment publicly, added that the coordinated multi-platform patch release suggests Apple treated the issue with high internal priority.
How to install the update
On any supported iPhone, open Settings, tap General, then tap Software Update. If iOS 26.5 is available for your device, you will see a prompt to download and install it. The process typically takes 10 to 20 minutes depending on your connection speed and device model. Make sure your phone is charged above 50 percent or connected to power before starting.
If you have automatic updates enabled, your iPhone may have already downloaded the patch overnight. You can verify your current version by going to Settings > General > About and checking the number next to “iOS Version.”
Users on older devices that no longer support iOS 26 should check for a separate security update under the same Software Update screen. Apple’s coordinated release, as confirmed by the GovCERT.HK advisory, includes patches for legacy iPadOS and iOS branches.
Why the WebKit CSP bypass makes this patch cycle different
Security patches are easy to postpone. The “Remind Me Later” button is right there, and the update requires a restart that interrupts whatever you are doing. But the nature of the WebKit CSP bypass makes this one worth prioritizing.
WebKit is not an optional component on iOS. It is the rendering engine behind every browser and every in-app web view on the platform. A flaw in WebKit means that any app displaying web content, from your email client’s embedded links to a news reader’s article view, could potentially serve as an attack surface. The CSP bypass specifically undermines a defense designed to contain exactly this kind of threat.
Both the U.S. and Hong Kong advisories frame the patched issues as security vulnerabilities, not feature bugs. The cross-platform scope of the release, the involvement of multiple government CERTs, and the nature of the WebKit flaw all point in the same direction: install iOS 26.5 now, not next week.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
