Apple has released a comprehensive security update for iOS 26 and iPadOS 26, addressing 27 vulnerabilities across multiple system components.
The update, released on September 15, 2025, targets devices including iPhone 11 and later models, along with various iPad generations from iPad Pro 12.9-inch 3rd generation onwards.
Critical System Components Affected
The security patches span 23 different system components, with WebKit receiving particular attention due to multiple vulnerabilities that could lead to Safari crashes and unexpected process termination.
The Apple Neural Engine, which powers machine learning capabilities across Apple devices, also received fixes for an out-of-bounds access issue that could cause system crashes.
Several core system components required security improvements, including the Kernel, IOKit, and Sandbox systems.
The Kernel update addresses a logic issue where UDP server sockets bound to local interfaces could become accessible to all interfaces, potentially exposing network communications.
The Sandbox component received fixes for permissions issues that could allow applications to break out of their security restrictions.
Media processing components CoreAudio and CoreMedia both received patches for vulnerabilities that could lead to app termination or memory corruption when processing maliciously crafted files.
The Audio component similarly addresses out-of-bounds access issues through improved bounds checking mechanisms.
Multiple vulnerabilities related to sensitive data access have been resolved across various system services.
AppleMobileFileIntegrity received fixes to prevent unauthorized access to user data, while Bluetooth components now feature improved data redaction to protect sensitive information from unauthorized access.
The Text Input system received critical updates to prevent keyboard suggestions from displaying sensitive information on lock screens.
Additionally, Siri improvements ensure Private Browsing tabs cannot be accessed without proper authentication, strengthening user privacy protections during voice interactions.
Call History functionality now includes improved redaction mechanisms to prevent application fingerprinting, while the Notes application addresses cache handling issues that could expose locked note content to unauthorized viewers with physical device access.
WebKit components received multiple security patches addressing various crash scenarios and unauthorized access issues.
| CVE-ID | Component | Impact |
| CVE-2025-43344 | Apple Neural Engine | Unexpected system termination via OOB access |
| CVE-2025-43317 | AppleMobileFileIntegrity | Unauthorized access to sensitive user data |
| CVE-2025-43346 | Audio | App termination or memory corruption via media |
| CVE-2025-31254 | Safari | Unexpected URL redirection from crafted content |
| CVE-2025-43329 | Sandbox | App escape from sandbox restrictions |
| CVE-2025-43203 | Notes | Physical-access attacker may view locked images |
| CVE-2025-43368 | WebKit Process Model | Safari crash via use-after-free in web content |
These fixes prevent maliciously crafted web content from causing Safari crashes, unexpected process termination, and unauthorized sensor access without user consent.
The WebKit Process Model specifically addresses a use-after-free vulnerability that could lead to Safari crashes when processing malicious web content.
These browser security enhancements are particularly significant given the widespread use of Safari across Apple’s ecosystem and the potential for web-based attacks targeting mobile users.
Apple continues its practice of crediting security researchers who responsibly disclosed these vulnerabilities, with contributions from researchers at Trend Micro Zero Day Initiative, Kandji, and various independent security professionals.
Users are strongly encouraged to install this security update immediately to protect against potential exploitation of these vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
