Supported Devices
This update applies to iPhone 11 and newer, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).
Security Updates Overview
Impact: An application could gain access to sensitive payment tokens.
Resolution: A permissions flaw was corrected by introducing stricter access controls.
CVE: CVE-2025-46288 — floeki, Zhongcheng Li (IES Red Team, ByteDance)
AppleJPEG
Impact: Opening a specially crafted file could result in memory corruption.
Resolution: The issue was fixed by enhancing bounds checking.
CVE: CVE-2025-43539 — Michael Reeves (@IntegralPilot)
BiometricKit
Impact: After restoring from a backup, the passcode may not be required immediately following Face ID setup.
Resolution: A logic validation issue was fixed.
CVE: CVE-2025-46286 — Andrei Simion
Entry added: January 9, 2026
Calling Framework
Impact: A malicious actor may be able to impersonate a FaceTime caller ID.
Resolution: Improved state handling resolved a UI inconsistency.
CVE: CVE-2025-46287 — Anonymous researcher, Riley Walz
curl
Impact: Multiple security vulnerabilities exist in curl.
Resolution: These issues originate from third-party open-source code used by Apple software. CVE details are maintained by external parties.
CVEs: CVE-2024-7264, CVE-2025-9086
FaceTime
Impact: Password fields could be exposed when remotely controlling a device via FaceTime.
Resolution: Improved state management addressed the issue.
CVE: CVE-2025-43542 — Yiğit Ocak
Foundation (File Access)
Impact: An application may improperly access files through the spellcheck API.
Resolution: Additional logic checks were implemented.
CVE: CVE-2025-43518 — Noah Gregory (wts.dev)
Foundation (Stability)
Impact: Processing malicious input may cause unexpected app crashes.
Resolution: Enhanced bounds checking resolved a memory corruption issue.
CVE: CVE-2025-43532 — Meta Product Security
Icons
Impact: An app could infer which other apps are installed on the device.
Resolution: Additional permission restrictions were applied.
CVE: CVE-2025-46279 — Duy Trần (@khanhduytran0)
Kernel
Impact: An app may be able to escalate privileges and gain root access.
Resolution: An integer overflow was fixed by switching to 64-bit timestamps.
CVE: CVE-2025-46285 — Alibaba Group
Photos
Impact: Photos stored in the Hidden album could be viewed without authentication.
Resolution: Access restrictions were tightened.
CVE: CVE-2025-43428 — Anonymous researcher, Michael Schmutzer
Screen Time
Impact: Applications may access Safari history or other sensitive user data.
Resolution: Logging behavior was corrected with improved data redaction.
CVEs: CVE-2025-46277, CVE-2025-43538
Telephony
Impact: Applications could access sensitive telephony-related data.
Resolution: Additional entitlement verification was introduced.
CVE: CVE-2025-46292
WebKit (Multiple Issues)
Impact: Malicious web content could trigger crashes, memory corruption, or arbitrary code execution. Some issues were actively exploited in highly targeted attacks prior to iOS 26.
Resolution: Multiple memory safety, state handling, and validation fixes were applied.
Notable CVEs:
CVE-2025-43529
CVE-2025-14174
CVE-2025-43531
CVE-2025-43541
CVE-2025-46299
WebKit Web Inspector
Impact: Processing crafted web content may result in unexpected process termination.
Resolution: A use-after-free vulnerability was fixed with improved memory handling.