Apple has released a major security update with iOS 26.2, addressing a broad range of vulnerabilities that could have put iPhone and iPad users at risk. The company disclosed the details on its support page on Friday, warning that some of the flaws had the potential to expose sensitive user data, crash devices, or, in rare situations, allow full system compromise.

According to Apple, the vulnerabilities affect iPhone 11 and newer models, as well as several recent iPads. Impacted devices include iPad Pro models from the third generation onward, iPad Air starting from the third generation, iPad from the eighth generation, and iPad mini from the fifth generation. Users of these devices are strongly advised to install the update as soon as possible.

One of the more concerning issues involved the App Store. Apple revealed that a permissions-related flaw could have allowed a malicious app to gain access to sensitive payment tokens. This issue has now been fixed by tightening system restrictions. Similar permission and logging weaknesses were also found across various system components, including Icons, Messages, MediaExperience, Screen Time, Telephony, and Photos. In certain scenarios, these bugs could have enabled apps to access private user data, Safari browsing history, or details about other installed applications.

At the system level, Apple patched a serious kernel vulnerability that could have allowed a malicious app to gain root privileges. The company explained that this issue stemmed from an integer overflow problem and has now been resolved by moving to 64-bit timestamps. Several other low-level components, such as Foundation, Multi-Touch, libarchive, and AppleJPEG, were also affected by memory corruption bugs. These flaws could have caused apps to crash or behave unpredictably when handling specially crafted files or data.

FaceTime and calling features were not immune either. Apple fixed issues in FaceTime and the Calling Framework where password fields could be exposed during remote device control sessions. Another flaw could have allowed an attacker to spoof a FaceTime caller ID. Apple said improved state management resolved both problems, reinforcing the security of real-time communication features.

A significant number of the disclosed vulnerabilities were linked to WebKit, the browser engine that powers Safari. Apple warned that maliciously crafted web content could trigger crashes, memory corruption, or even arbitrary code execution. Notably, the company acknowledged reports that at least two WebKit flaws may have been exploited in “extremely sophisticated” targeted attacks against specific individuals using older versions of iOS, prior to iOS 26. These vulnerabilities have now been fully patched.

Some of the security issues originated from open-source software used by Apple, including curl and libarchive. Apple noted that these flaws were assigned CVE identifiers by third parties and that its software was among the affected projects.

While Apple has not suggested that most of these vulnerabilities were exploited on a large scale, it is urging users to update immediately. Installing iOS 26.2 ensures protection against known threats and reinforces Apple’s ongoing efforts to safeguard user privacy and device security.