iOS 26.3 and Co.: Many security vulnerabilities fixed – also for older versions
Apple has communicated details about the bug fixes included in the new operating systems. The list is long again.
Installation of iOS on an iPhone.
(Image: nikkimeel / Shutterstock.com)
Apple has released security information about its updates yesterday for iOS 26.3, macOS 26.3, and the other new operating systems. It shows: At least one of the patched vulnerabilities has already been exploited. It is in the important daemon dyld, which can be used to load libraries at runtime of an app.
Bug in dyld
“An attacker with write access to memory may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in a highly sophisticated attack on individuals with iOS versions before iOS 26,” the company stated. However, it is confusing that the fix, at least according to Apple's security information, is only present in iOS 26.3, macOS 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3. Older versions of the operating systems do not contain it, according to the information available so far and would therefore need to be updated. The exploited vulnerability is assigned CVE IDs 2025-14174 and 2025-43529. It was discovered by Google's Threat Analysis Group (TAG).
Videos by heise
In total, almost 40 vulnerabilities were patched in iOS 26.3 and iPadOS 26.3, plus a dozen bugs for which Apple provides no information. The affected areas range from accessibility features, CoreServices, and Kernel to WebKit. The fixes in macOS 26.3 are similarly extensive, as are those for visionOS 26.3.
Updates for older versions are porous
The lists for tvOS 26.3 and watchOS 26.3 are shorter than usual, partly because the systems do not have an official Safari browser. Safari 26.3 is part of macOS 26.3 and iOS and iPadOS 26.3, but is also offered individually for macOS 14 (Sonoma) and 15 (Sequoia). A handful of WebKit bugs have been fixed here.
Apple has also released individual updates for iOS and iPadOS 18 (to 18.7.5), as well as Sequoia (15.7.4) and Sonoma (14.8.4). As unfortunately is usual, they do not receive all fixes, and in particular the aforementioned Dyld vulnerability is missing. All in all, one should update quickly once again. Apple has also not provided any information on who exactly carried out the “highly sophisticated attack” and what victims there were.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
