While the collective attention of the tech world is currently focused on iOS 27, Apple is still rolling out updates for iOS 26. While we’re unlikely to get another feature-rich release in the “26” era, there will always be bugs and security flaws whenever Apple or third-party researchers discover them. Case in point: Monday, Apple dropped iOS 26.5.2.which comes with fixes for 29 security vulnerabilities.

First, the good news: none of these threats seem to be “zero days.” A zero-day is a security flaw that is publicly disclosed or actively exploited before a software developer has had a chance to release a patch. They’re especially dangerous, because it gives hackers an advantage: they can try to find an exploit — or worse, exploit that exploit — as long as it takes for a developer to release an update, and have its user base install it. Fortunately, none of these flaws appear to be solvable, meaning this is not a mission-critical situation. Still, any security flaws are concerning, and now that they’ve been disclosed, it’s only a matter of time before someone figures out how to exploit them. Thus, it is important to install iOS 26.5.2 as soon as possible.

Here are the iOS 26.5.2 patches.

According to Apple’s official security release notes, iOS 26.5.2 (and iPadOS 26.5.2) patches 29 security flaws. Many of the flaws relate to how WebKit, Apple’s engine that powers Safari, stores user data. You’ll find some vulnerabilities that can expose sensitive data if a user processes malicious web content (for example, if you click on a fraudulent link), as well as a vulnerability that can leak sensitive data just by visiting a website, even if that site isn’t necessarily malicious. Another patch handles a flaw that allows malicious websites to process data outside of a “sandbox” or place Apple websites in a secure element so they don’t go into secure parts of iOS, while another patch addresses a flaw that could steal clipboard data without your knowledge.

You’ll find all 29 patches below, along with a description, fix, and CVE (Common Vulnerabilities and Exposures) number used to locate them. Again, there are no known active exploits for any of these flaws.

1. The IOGPU family: An app can cause an unexpected system shutdown. Fixed race condition with improved state handling. CVE-2026-43743: Lawton, Dunn

2. Dana: An app may cause an unexpected system shutdown or write kernel memory. This issue was addressed with improved input sanitization. CVE-2026-43724:

3. Dana: An app may be able to leak sensitive kernel state. This issue was addressed with improved input sanitization. CVE-2026-43722.

4. Dana: An app may cause an unexpected system shutdown or corrupt kernel memory. This issue was resolved with improved input validation. CVE-2026-39868.

5. libxslt: Processing maliciously crafted web content can lead to unexpected process crashes. Fixed a double-free issue with better memory management. CVE-2026-43706.

6. libxslt: Processing maliciously crafted web content can lead to unexpected process crashes. This issue was resolved with improved memory handling. CVE-2026-43703.

7. Web Extensions: A malicious web extension can cause unexpected process crashes. Fixed free after use issue with better memory management. CVE-2026-43704.

8. WebKit: Processing maliciously crafted web content may reveal sensitive user information. Fixed cross-origin issue with improved security origin tracking. CVE-2026-43700.

9. WebKit: A malicious website can leak data cross-origin. This issue was resolved with improved checks. CVE-2026-43735.

10. WebKit: Processing maliciously crafted web content can lead to unexpected process crashes. Fixed free after use issue with better memory management. CVE-2026-43734/CVE-2026-43726/CVE-2026-43709/CVE-2026-43699/CVE-2026-43742.

11. WebKit: Processing maliciously crafted web content may reveal sensitive user information. Fixed route handling issue with better validation. CVE-2026-43732.

12. WebKit: Processing maliciously crafted web content can cause memory corruption. Fixed free after use issue with better memory management. CVE-2026-43731/CVE-2026-43715.

13. WebKit: Processing maliciously crafted web content can cause an unexpected Safari crash. Fixed free after use issue with better memory management. CVE-2026-43727.

14. WebKit: A malicious website can process restricted web content outside the sandbox. The issue was resolved with improved input validation. CVE-2026-43725.

15. WebKit: Processing maliciously crafted web content can lead to unexpected process crashes. This issue was resolved with improved memory handling. CVE-2026-43663/CVE-2026-39872/CVE-2026-43712.

16. WebKit: Processing maliciously crafted web content can cause an unexpected Safari crash. This issue was resolved with improved memory handling. CVE-2026-43716.

17. WebKit: Processing maliciously crafted web content can cause an unexpected Safari crash. Fixed out-of-bounds access issue with improved bounds checking. CVE-2026-43676.

18. WebKit: Processing maliciously crafted web content can result in process memory exposure. This issue was resolved with improved memory handling. CVE-2026-43740.

19. WebKit: Visiting a website can leak sensitive data. Fixed permission issue with additional restrictions. CVE-2026-43713.

20. WebKit: A malicious website can leak data cross-origin. The issue was resolved with improved input validation. CVE-2026-43708.

21. WebKit: Processing maliciously crafted web content can lead to unexpected process crashes. The memory corruption issue was addressed with improved memory handling. CVE-2026-43707.

22. WebKit: Processing maliciously crafted web content can cause memory corruption. Fixed a type confusion issue with better checks. CVE-2026-43705.

23. WebKit: A malicious website can process restricted web content outside the sandbox. This issue was resolved with improved checks. CVE-2026-43701.

24. WebKit: Processing maliciously crafted web content can cause an unexpected Safari crash. Fixed out-of-bounds write issue with better input validation. CVE-2026-43745.

25. WebKit Canvas: Processing maliciously crafted web content can cause an unexpected Safari crash. Fixed free after use issue with better memory management. CVE-2026-43720.

26. WebKit Storage: A malicious website may be able to silently hijack clipboard data. This problem was solved by better state management. CVE-2026-43721.

27. WebRTC: Processing maliciously crafted web content can lead to unexpected process crashes. Fixed out-of-bounds access issue with improved bounds checking. CVE-2026-28979.

28. WebRTC: Processing maliciously crafted web content can cause an unexpected Safari crash. Fixed a stack overflow with improved input validation. CVE-2026-43718.

29. WebRTC: Processing maliciously crafted web content can cause an unexpected Safari crash. Fixed free after use issue with better memory management. CVE-2026-43717/CVE-2026-43746.

How to Update to iOS 26.5.2

Installing this security patch is like any other iOS update. If you have enabled automatic updates, the OS should update itself at the scheduled time. However, you can start the process manually by going to General > Software Update And follow the on-screen instructions.