iPhone, Mac & more: Lots of security updates – iOS 18 remains unpatched

With iOS 26.1, macOS 26.1, iPadOS 26.1, watchOS 26.1, tvOS 26.1, and visionOS 26.1, which have been available since Monday evening, Apple has also closed numerous security vulnerabilities. In addition to the new systems, older ones were also patched—but only on the Mac. iOS 18 and iPadOS 18 initially remained completely without an update, which ultimately forces users to update to iOS 26.1 and iPadOS 26.1 to seal their systems. Whether Apple will follow up with a patch package for the popular older system for iPhones and iPads remains unclear.

iOS and iPadOS: Update quickly

iOS 26.1 and iPadOS 26.1 contain 45 security-relevant improvements, plus 16 further patches that Apple (unfortunately) does not detail further, but to which only credits (i.e., the finders) have been assigned. Almost all areas are affected, from the kernel to the installation routine, account control, integrated AI models, and the Photos app to the Safari browser with various closed WebKit vulnerabilities.

There appear to be no known exploits yet; at least Apple does not list any. The vulnerabilities potentially lead to app and system crashes, leaked data, loading of unwanted content, activation of the device camera without permission, and several more problematic errors—Apple did not initially name remotely exploitable bugs (Remote Exploits). As mentioned, iOS and iPadOS 18 remain at version 18.7.1 from last September. Whether this means Apple is completely stopping maintenance remains unclear. That would be unfortunate, as many users who do not like the Liquid Glass look in iOS 26 and iPadOS 26 initially stayed on iOS 18 and iPadOS 18. They are currently using insecure systems.

Massive patch package for Tahoe

The number of vulnerabilities closed in macOS 26.1 is even larger: there are a whopping knapp 90—plus a dozen bugs for which Apple publishes no further details. At least one of the macOS vulnerabilities is exploitable from the outside—in the form of a denial-of-service attack on the CoreAnimation routine. Otherwise, as on iPhone and iPad, it is a mixed bag of bugs—from “A” for Admin Framework (user data can leak) to “C” for CloudKit (sandbox escape), “N” for Networking (iCloud Private Relay turns off) to “s” for sudo (apps can grab sensitive data). Safari for macOS also contained many errors in WebKit. App and system-level crashes can be provoked. A vulnerability in “Find My” that enables user fingerprinting is also relevant to data protection.

For macOS Sequoia, Apple is releasing Update 15.7.2, for macOS Sonoma, Update 14.8.2. Both correct, as is unfortunately typical for Apple, not all vulnerabilities stopped in macOS 26.1; only those using the latest operating system are fully secure. How problematic this is is difficult to say, as it remains unclear how many of the fixed bugs were introduced with macOS 26. Details on the patch packages for tvOS 26.1, watchOS 26.1, and visionOS 26.1 have also been published by Apple; here too there are dozens of fixes; a quick update is advised. Finally, Apple also provides a single browser update to Safari 26.1 for Sequoia and Sonoma. Developers also receive Xcode 26.1, which patches vulnerabilities in the GNU framework and libd (available from macOS 15.6).

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Preisvergleiche immer laden Preisvergleich jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)