Apple Patches Everything, (Mon, May 11th)

Apple today released its typical feature update across it's operating systems (iOS, iPadOS, macOS, tvOS, watchOS, vision OS). With this update, Apple patched 84 different vulnerabilities. Updates are available for the 26 series of operating systems, as well as for the previous 18 version of iOS/iPadOS, and two versions back for macOS (version 14 and 15). None of the vulnerabilities has been exploited. The number of addressed vulnerabilities is about average compared to similar Apple updates. Figure: Number of Vulnerabilities patched for each security update. Last one in red at the end. iOS 26.5 and iPadOS 26.5 iOS 18.7.9 and iPadOS 18.7.9 macOS Tahoe 26.5 macOS Sequoia 15.7.7 macOS Sonoma 14.8.7 tvOS 26.5 watchOS 26.5 visionOS 26.5 CVE-2025-43524: An app may be able to break out of its sandbox. Affects Icons x x CVE-2026-28819: An app may be able to execute arbitrary code with kernel privileges. Affects Wi-Fi x x x x CVE-2026-28840: An app may be able to gain root privileges. Affects PackageKit x x CVE-2026-28846: A remote attacker may be able to cause unexpected app termination. Affects SceneKit x x x x x x x x CVE-2026-28848: A remote attacker may be able to cause unexpected system termination. Affects SMB x x CVE-2026-28870: An app may be able to access sensitive user data. Affects GeoServices x CVE-2026-28872: A remote attacker may be able to cause a denial-of-service. Affects Calendar x CVE-2026-28873: An app may be able to circumvent App Privacy Report logging. Affects Privacy x CVE-2026-28877: An app may be able to access sensitive user data. Affects Accounts x CVE-2026-28878: An app may be able to enumerate a user's installed apps. Affects Crash Reporter x CVE-2026-28882: An app may be able to enumerate a user's installed apps. Affects libxpc x CVE-2026-28883: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit x x x x x CVE-2026-28894: A remote attacker may be able to cause a denial-of-service. Affects Calling Framework x CVE-2026-28897: A local user may be able to cause unexpected system termination or read kernel memory. Affects Kernel x x x x x x x x CVE-2026-28901: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit x CVE-2026-28906: An attacker may be able to track users through their IP address. Affects Networking x x x x x x CVE-2026-28907: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Affects WebKit x x x x x x CVE-2026-28908: An app may be able to modify protected parts of the file system. Affects Kernel x x x CVE-2026-28913: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit x x x x CVE-2026-28914: A maliciously crafted ZIP archive may bypass Gatekeeper checks. Affects zip x CVE-2026-28915: An app may be able to gain root privileges. Affects CUPS x x x CVE-2026-28917: Processing maliciously crafted web content may lead to a