iOS 26.1 and iPadOS 26.1 Bring Dozens of Critical Security Fixes, Here’s the Full List

Apple has rolled out iOS 26.1 and iPadOS 26.1, and if you’ve been putting off updating your device, now might be a good time to reconsider.

These updates don’t just bring cosmetic and feature changes — they patch dozens of critical security flaws across multiple system components, including Apple Account, Photos, and Safari.

A Major Security-Focused Update

The updates mark the first big release since the initial rollout of iOS 26 back in September. And, as usual, Apple has now published the complete list of vulnerabilities fixed with iOS 26.1 and iPadOS 26.1.

Among the highlights:

• A fix for a bug that allowed Stolen Device Protection to be disabled without proper authentication.
• A WebKit exploit that could let malicious websites monitor your keystrokes.
• Fixes for vulnerabilities in Apple Account, Photos, and Safari that could lead to data exposure or unauthorized access.

Worth checking out: iOS 26.1 Now Out: Apple’s Official Release Notes

If that wasn’t reason enough to hit “Download and Install,” the number of issues addressed in this release certainly should be.

Apple’s Full Security Release Notes

According to Apple, iOS 26.1 and iPadOS 26.1 address around 50 separate vulnerabilities across system components. Below is the complete list, as published by Apple:

Accessibility

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to identify what other apps a user has installed

Description: A permissions issue was addressed with additional restrictions.

CVE-2025-43442: Zhongcheng Li from IES Red Team of ByteDance

Apple Account

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A malicious app may be able to take a screenshot of sensitive information in embedded views

Description: A privacy issue was addressed with improved checks.

CVE-2025-43455: Ron Masas of BreakPoint.SH, Pinak Oza

Apple Neural Engine

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause unexpected system termination or corrupt kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2025-43447: an anonymous researcher

CVE-2025-43462: an anonymous researcher

Apple TV Remote

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A malicious app may be able to track users between installs

Description: The issue was addressed with improved handling of caches.

CVE-2025-43449: Rosyna Keller of Totally Not Malicious Software

AppleMobileFileIntegrity

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access protected user data

Description: This issue was addressed with improved validation of symlinks.

CVE-2025-43379: Gergely Kalman (@gergely_kalman)

Assets

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved entitlements.

CVE-2025-43407: JZ

Audio

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An attacker with physical access to an unlocked device paired with a Mac may be able to view sensitive user information in system logging

Description: A logging issue was addressed with improved data redaction.

CVE-2025-43423: Duy Trần (@khanhduytran0)

Camera

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to learn information about the current camera view before being granted camera access

Description: A logic issue was addressed with improved checks.

CVE-2025-43450: Dennis Briner

CloudKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved validation of symlinks.

CVE-2025-43448: Hikerell (Loadshine Lab)

Contacts

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A logging issue was addressed with improved data redaction.

CVE-2025-43426: Wojciech Regula of SecuRing (wojciechregula.blog)

Control Center

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An attacker may be able to view restricted content from the lock screen

Description: A permissions issue was addressed with additional restrictions.

CVE-2025-43350: Lukaah Marlowe

CoreServices

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to enumerate a user’s installed apps

Description: A permissions issue was addressed with additional restrictions.

CVE-2025-43436: Zhongcheng Li from IES Red Team of ByteDance

CoreText

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2025-43445: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative

FileProvider

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: An authorization issue was addressed with improved state management.

CVE-2025-43498: pattern-f (@pattern_F_)

Find My

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to fingerprint the user

Description: A privacy issue was addressed by moving sensitive data.

CVE-2025-43507: iisBuri

Installer

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to fingerprint the user

Description: A permissions issue was addressed with additional restrictions.

CVE-2025-43444: Zhongcheng Li from IES Red Team of ByteDance

Kernel

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2025-43398: Cristian Dinca (icmd.tech)

libxpc

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A sandboxed app may be able to observe system-wide network connections

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2025-43413: Dave G. and Alex Radocea of supernetworks.org

Mail Drafts

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Remote content may be loaded even when the ‘Load Remote Images’ setting is turned off

Description: The issue was addressed by adding additional logic.

CVE-2025-43496: Romain Lebesle, Himanshu Bharti @Xpl0itme From Khatima

MallocStackLogging

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: An issue existed in the handling of environment variables. This issue was addressed with improved validation.

CVE-2025-43294: Gergely Kalman (@gergely_kalman)

Model I/O

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2025-43386: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2025-43385: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2025-43384: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

CVE-2025-43383: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

Multi-Touch

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A malicious HID device may cause an unexpected process crash

Description: The issue was addressed with improved bounds checks.

CVE-2025-43424: Google Threat Analysis Group

Notes

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed by removing the vulnerable code.

CVE-2025-43389: Kirin (@Pwnrin)

On-device Intelligence

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to fingerprint the user

Description: A privacy issue was addressed by removing sensitive data.

CVE-2025-43439: Zhongcheng Li from IES Red Team of ByteDance

Photos

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved handling of temporary files.

CVE-2025-43391: Asaf Cohen

Safari

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Visiting a malicious website may lead to address bar spoofing

Description: The issue was addressed with improved checks.

CVE-2025-43493: @RenwaX23

Safari

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An inconsistent user interface issue was addressed with improved state management.

CVE-2025-43503: @RenwaX23

Safari

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass certain Privacy preferences

Description: A privacy issue was addressed by removing sensitive data.

CVE-2025-43502: an anonymous researcher

Sandbox Profiles

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved handling of user preferences.

CVE-2025-43500: Stanislav Jelezoglo

Siri

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A device may persistently fail to lock

Description: This issue was addressed through improved state management.

CVE-2025-43454: Joshua Thomas

Status Bar

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An attacker with physical access to a locked device may be able to view sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2025-43460: Isaiah Wan

Stolen Device Protection

Available for: iPhone 11 and later

Impact: An attacker with physical access to a device may be able to disable Stolen Device Protection

Description: The issue was addressed by adding additional logic.

CVE-2025-43422: Will Caine

Text Input

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Keyboard suggestions may display sensitive information on the lock screen

Description: This issue was addressed by restricting options offered on a locked device.

CVE-2025-43452: Thomas Salomon, Sufiyan Gouri (TU Darmstadt), Phil Scott (@MrPeriPeri) & Richard Hyunho Im (@richeeta), Mark Bowers, Joey Hewitt, Dylan Rollins, Arthur Baudoin, an anonymous researcher, Andr.Ess

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A malicious website may exfiltrate data cross-origin

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 276208

CVE-2025-43480: Aleksejs Popovs

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: This issue was addressed through improved state management.

WebKit Bugzilla: 296693

CVE-2025-43458: Phil Beauvoir

WebKit Bugzilla: 298196

CVE-2025-43430: Google Big Sleep

WebKit Bugzilla: 298628

CVE-2025-43427: Gary Kwong, rheza (@ginggilBesel)

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: This issue was addressed with improved checks.

WebKit Bugzilla: 299843

CVE-2025-43443: an anonymous researcher

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 298496

CVE-2025-43441: rheza (@ginggilBesel)

WebKit Bugzilla: 299391

CVE-2025-43435: Justin Cohen of Google

WebKit Bugzilla: 298851

CVE-2025-43425: an anonymous researcher

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: This issue was addressed with improved checks

WebKit Bugzilla: 298126

CVE-2025-43440: Nan Wang (@eternalsakura13)

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 297662

CVE-2025-43438: shandikri working with Trend Micro Zero Day Initiative

WebKit Bugzilla: 298606

CVE-2025-43457: Gary Kwong, Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative

WebKit Bugzilla: 297958

CVE-2025-43434: Google Big Sleep

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to monitor keystrokes without user permission

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 300095

CVE-2025-43495: Lehan Dilusha Jayasinghe

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to memory corruption

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 298093

CVE-2025-43433: Google Big Sleep

WebKit Bugzilla: 298194

CVE-2025-43431: Google Big Sleep

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 299313

CVE-2025-43432: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: A buffer overflow was addressed with improved bounds checking.

WebKit Bugzilla: 298232

CVE-2025-43429: Google Big Sleep

WebKit

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: Multiple issues were addressed by disabling array allocation sinking.

WebKit Bugzilla: 300718

CVE-2025-43421: Nan Wang (@eternalsakura13)

WebKit Canvas

Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

Impact: A website may exfiltrate image data cross-origin

Description: The issue was addressed with improved handling of caches.

WebKit Bugzilla: 297566

CVE-2025-43392: Tom Van Goethem

Apple has also published similar security notes for macOS Tahoe 26.1, watchOS 26.1, tvOS 26.1, and visionOS 26.1 — meaning every Apple device is getting important security attention this cycle.

Why It Matters

Security updates like this are often overlooked, but they’re some of the most important patches Apple releases all year. These fixes prevent potential exploits that could compromise your personal data, passwords, and even device access.

So if you haven’t already, open Settings > General > Software Update and install iOS 26.1 or iPadOS 26.1 right away.

The Bottom Line

Apple may be focusing on flashy features like Liquid Glass and Apple Intelligence, but it’s these quiet, behind-the-scenes patches that keep your iPhone and iPad truly secure.

When Apple says, “There are about 50 reasons to update,” it’s not exaggerating.