On Monday, Apple released critical security updates for iPads, Macs, and iPhones running older operating systems to fix serious flaws tied to WebKit, kernel access, Wi-Fi, and sandbox escapes.

The company released a major round of security updates on May 11, patching vulnerabilities across current and legacy versions of macOS, iOS, and iPadOS. The releases include macOS Tahoe 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, iOS 18.7.9, iPadOS 18.7.9, iPadOS 17.7.11, iOS 16.7.16, and iOS 15.8.8.

Detailed advisories published by the company describe flaws affecting the kernel, WebKit, Wi-Fi, sandbox protections, privacy systems, and file handling frameworks. Apple continues shipping security patches for iPhones, iPads, and Macs released more than a decade ago even after those devices fall behind the newest operating systems.

Current-generation operating systems received the largest security patches in the release cycle. For example, macOS Tahoe 26.5 includes fixes for vulnerabilities tied to privilege escalation, sandbox escapes, denial-of-service attacks, Gatekeeper bypasses, arbitrary kernel-level code execution, and exposure of sensitive user data.

iOS 18.7.9 and iPadOS 18.7.9 patch a wide range of vulnerabilities affecting the iPhone XS, iPhone XR, and seventh-generation iPad. The updates include fixes for flaws involving WebKit, Siri, Mail Drafts, App Intents, Wi-Fi, mDNSResponder, LaunchServices, and multiple kernel components.

Apple also patched vulnerabilities that could allow apps to gain elevated privileges, escape sandbox restrictions, or access protected user information.

None of the advisories identify the patched vulnerabilities as actively exploited in the wild. Apple usually includes explicit warnings when it believes attackers are already using a flaw against users, and those notices do not appear in the latest releases.

WebKit and kernel fixes dominate the release

WebKit received some of the largest fixes in the latest security releases. The browser engine powers Safari, App Store previews, embedded app browsers, and many web views across iOS and macOS.

Apple patched multiple WebKit vulnerabilities that could bypass Content Security Policy protections, leak sensitive user information, crash Safari processes, or corrupt memory through malicious web content. The release also contains extensive kernel fixes across macOS, iOS, and iPadOS.

Those patches address vulnerabilities tied to root privilege escalation, kernel memory disclosure, integer overflows, out-of-bounds writes, race conditions, and Gatekeeper bypasses involving malicious disk images or ZIP archives.

Networking and wireless systems received several serious fixes. The updates patch a Wi-Fi flaw that allows arbitrary code execution with kernel privileges through an out-of-bounds write vulnerability, and denial-of-service bugs involving crafted Wi-Fi packets and mDNSResponder network traffic.

Apple also patched vulnerabilities involving installed app enumeration, App Privacy Report bypasses, IP address tracking, unauthorized Contacts access, screen capture through camera metadata exposure, and multiple sandbox escape flaws.

Apple is still maintaining hardware from 2014 and 2015

Separate maintenance updates continue extending security support for aging hardware. Apple published dedicated releases for iPadOS 17, iOS 16, and iOS 15 instead of ending support once devices fall behind the newest operating system branch.

iPadOS 17.7.11 targets the sixth-generation iPad, the 10.5-inch iPad Pro, and the second-generation 12.9-inch iPad Pro. That release contains a single Notification Services fix addressing an issue where deleted notifications could remain stored on-device unexpectedly.

Older hardware also received updates through iOS 16.7.16 and iPadOS 16.7.16 for devices including the iPhone X and first-generation 12.9-inch iPad Pro. iOS 15.8.8 and iPadOS 15.8.8 extend support even farther back to hardware including the iPhone 6s, iPhone 7, first-generation iPhone SE, iPad Air 2, and iPad mini 4.

Black iPhone with dual rear cameras standing upright on a wooden surface against a textured gray wall, Apple logo centered on the phone's backiPhone 17

Both legacy branches patch the same Notification Services vulnerability tied to retained deleted notifications. Research attribution across the advisories also reflects changes in the security industry.

Apple credited researchers from Google Threat Analysis Group, Google Project Zero, Palo Alto Networks, TrendAI Zero Day Initiative, and independent security firms across the release. One kernel vulnerability in macOS Tahoe 26.5 was credited to Calif.io "in collaboration with Claude and Anthropic Research."

How users can reduce risk

Many of the patched vulnerabilities affect browser engines, wireless networking, app isolation systems, and low-level operating system components. Vulnerabilities in WebKit, Wi-Fi, and the kernel can affect core protections across the operating system.

Users should install the updates as soon as possible and restart devices afterward so kernel and networking patches fully apply. Apple also recommends avoiding untrusted apps, unknown configuration profiles, suspicious links, unsecured Wi-Fi networks, and unsolicited file downloads.

Several of the patched vulnerabilities involve malicious web content, crafted files, privilege escalation, and sandbox escape flaws.

Safari and system browser updates are crucial, as WebKit powers much of Apple's software ecosystem beyond Safari. Users with unsupported devices that don't receive security updates should avoid using them for sensitive tasks like banking, password management, or storing personal data.