Apple released iOS 26.1 and iPadOS 26.1, addressing multiple vulnerabilities that could lead to privacy breaches, app crashes, and potential data leaks for iPhone and iPad users.
The update targets devices starting from the iPhone 11 series and various iPad models, including the iPad Pro (3rd generation 12.9-inch and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).
This release underscores Apple’s ongoing commitment to rapid response against evolving threats, especially as cyber risks intensify in an era of advanced malware and targeted attacks.
The patches address over 50 issues across core components like WebKit, the Kernel, and Accessibility features. Many stem from memory corruption risks, privacy issues, and sandbox escapes, which could allow malicious apps to snoop on user data or destabilize the system.
Security researchers from ByteDance, Trend Micro’s Zero Day Initiative, Google, and independent experts discovered most flaws, highlighting the collaborative nature of vulnerability hunting in the iOS ecosystem.
Key Privacy and Sandbox Vulnerabilities Patched
Several fixes focus on preventing apps from overstepping boundaries, a common vector for data theft. For instance, in Accessibility (CVE-2025-43442), a permissions flaw let apps detect other installed applications, potentially enabling fingerprinting.
Apple mitigated this with stricter restrictions. Similarly, the Apple Account component (CVE-2025-43455) blocked malicious apps from screenshotting sensitive info in embedded views through enhanced privacy checks.
In the Kernel and Apple Neural Engine, memory handling improvements (CVE-2025-43398, CVE-2025-43447, CVE-2025-43462) prevent unexpected crashes or kernel corruption, which could lead to denial-of-service attacks.
Assets and CloudKit updates (CVE-2025-43407, CVE-2025-43448) reinforce sandbox integrity by validating symlinks more rigorously and preventing apps from escaping their confines to access protected files.
Contacts and Photos also received logging and temporary file tweaks (CVE-2025-43426, CVE-2025-43391) to redact sensitive data and curb unauthorized access. A notable fix in Stolen Device Protection (CVE-2025-43422) adds logic to prevent physical attackers from disabling the feature, vital for protecting lost or stolen devices.
| Component | CVE | Impact | Description | Researcher |
|---|---|---|---|---|
| Accessibility | CVE-2025-43442 | App identifies installed apps | Permissions issue with added restrictions | Zhongcheng Li (ByteDance) |
| Apple Account | CVE-2025-43455 | Malicious app screenshots sensitive info | Privacy issue with improved checks | Ron Masas, Pinak Oza |
| Kernel | CVE-2025-43398 | Unexpected system termination | Improved memory handling | Cristian Dinca (icmd.tech) |
| Assets | CVE-2025-43407 | App breaks sandbox | Improved entitlements | JZ |
| CloudKit | CVE-2025-43448 | App breaks sandbox | Improved symlink validation | Hikerell (Loadshine Lab) |
| Contacts | CVE-2025-43426 | App accesses sensitive data | Improved data redaction in logging | Wojciech Regula (SecuRing) |
| Stolen Device Protection | CVE-2025-43422 | Attacker disables protection | Added logic | Will Caine |
WebKit Overhaul Targets Web-Based Exploits
WebKit, powering Safari and web views, dominates the update with fixes for crashes, memory corruption, and cross-origin data exfiltration.
A use-after-free vulnerability (CVE-2025-43438) could crash Safari via malicious content, while buffer overflows (CVE-2025-43429) risked arbitrary code execution.
Apple addressed these through better memory management, bounds checking, and disabling risky optimizations like array allocation sinking (CVE-2025-43421).
Privacy threats include keystroke monitoring (CVE-2025-43495) and cross-origin image theft in Canvas (CVE-2025-43392). Visiting spoofed sites could trick users (CVE-2025-43493, CVE-2025-43503), now countered with UI state improvements.
| Component | CVE | Impact | Description | Researcher |
|---|---|---|---|---|
| WebKit | CVE-2025-43480 | Cross-origin data exfiltration | Improved checks (Bugzilla 276208) | Aleksejs Popovs |
| WebKit | CVE-2025-43438 | Safari crash via use-after-free | Improved memory management (Bugzilla 297662) | shandikri (Trend Micro ZDI) |
| WebKit | CVE-2025-43495 | Keystroke monitoring | Improved checks (Bugzilla 300095) | Lehan Dilusha Jayasinghe |
| WebKit Canvas | CVE-2025-43392 | Cross-origin image exfil | Improved cache handling (Bugzilla 297566) | Tom Van Goethem |
| WebKit | CVE-2025-43429 | Process crash via buffer overflow | Improved bounds checking (Bugzilla 298232) | Google Big Sleep |
Other components like Camera, Siri, and Text Input received targeted patches for logic flaws and lock screen leaks (CVE-2025-43450, CVE-2025-43454, CVE-2025-43452).
Experts urge immediate updates, as unpatched devices remain vulnerable to zero-day exploits. Apple’s security page details all fixes, crediting researchers under its bounty program. With iOS 26.1, users gain stronger defenses against a landscape rife with sophisticated threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
