Apple’s latest security update wave — covering iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, watchOS 26.4, tvOS 26.4, visionOS 26.4, Safari 26.4, and Xcode 26.4 — resolves over 85 vulnerabilities. No active exploitation has been reported for any of the CVEs in this release. Below are the key vulnerabilities practitioners should track.
CVE-2026-28865 — AirPlay / Network Traffic Interception
Affected: iOS 26.4, iPadOS 26.4
Component: AirPlay / Networking Stack
Severity: High
An attacker in a privileged network position may be able to intercept network traffic. Apple addressed an authentication issue through improved state management. The bug was credited to Héloïse Gollier and Mathy Vanhoef of KU Leuven — Vanhoef is the researcher behind the KRACK and DRAGONBLOOD Wi-Fi protocol attacks. That attribution alone elevates this CVE’s credibility and potential exploit sophistication.
Impact: Man-in-the-middle interception of AirPlay traffic in shared or untrusted network environments.
CVE-2026-28868 — Kernel State Leakage
Affected: iOS 26.4, iPadOS 26.4
Component: Kernel
Severity: High
An app may be able to leak sensitive kernel state. Kernel state disclosure vulnerabilities are commonly chained with memory corruption bugs — the leaked state is used to defeat ASLR before a follow-on code execution payload lands.
Impact: Kernel memory disclosure; meaningful as a chaining primitive in multi-stage exploit development.
CVE-2026-20688 — User Fingerprinting via Permissions
Affected: iOS 26.4, iPadOS 26.4
Component: Permissions Framework
Severity: Medium
An app may be able to fingerprint the user. A permissions issue addressed with additional restrictions. Fingerprinting primitives are routinely harvested by adtech SDKs and stalkerware embedded in third-party apps.
Impact: User identity profiling without explicit consent, enabling cross-app or cross-session tracking.
CVE-2026-28886 — Installed App Enumeration
Affected: iOS 26.4, iPadOS 26.4
Component: Privacy / App Sandbox
Severity: Medium
An app may be able to enumerate a user’s installed apps. Addressed by removing the sensitive data from returned values. Installed app lists are a valuable recon primitive in targeted spyware operations — revealing banking apps, VPN clients, security tools, or communication platforms present on the device.
Impact: Device profiling for targeted surveillance or social engineering.
Keychain Access — Local Attacker
Affected: iOS 26.4, iPadOS 26.4
Component: Keychain Services
Severity: High
A local attacker may gain access to the user’s Keychain items. Addressed with improved permissions checking. No CVE ID has been published for this entry yet. Keychain is Apple’s centralized credential store — a successful exploit grants access to stored passwords, certificates, and authentication tokens across all apps.
Impact: Full credential compromise for any service whose secrets are stored in Keychain.
CVE-2026-20609 — Process Memory Disclosure via Image
Affected: iOS 18.7.5 / Legacy Devices
Component: ImageIO
Severity: Medium
Processing a maliciously crafted image may result in disclosure of process memory. Image-based memory disclosure bugs are low-interaction — a single image preview in Mail, Messages, or a browser can trigger the leak without user action beyond opening the message.
Impact: Process memory exposure; useful for information gathering ahead of code execution attempts.
CVE-2026-20616 — HID Device Crash
Affected: iOS 18.7.5 / Legacy Devices
Component: IOKit / HID
Severity: Medium
A malicious HID device may cause an unexpected process crash. Out-of-bounds write issue addressed with improved bounds checking. Physical proximity is required — attacker must connect or pair a rogue HID (Human Interface Device) to trigger the out-of-bounds write.
Impact: Process crash with potential for privilege escalation in more targeted physical-access scenarios.
CVE-2026-20655 — Mail Remote Content Privacy Bypass
Affected: iOS 18.7.5 / Legacy Devices
Component: Mail
Severity: Medium
Turning off “Load remote content in messages” may not apply to all mail previews. This is a logic flaw — a user-configured privacy control is silently bypassed, allowing remote tracking pixels or external content to load despite the setting being explicitly disabled.
Impact: IP address and read-receipt exposure to email senders, undermining a core privacy control that users rely on.
CVE-2026-20678 — Deleted Notes Disclosure
Affected: iOS 18.7.5 / Legacy Devices
Component: Notes
Severity: Medium
An attacker may be able to discover a user’s deleted notes. A logic issue addressed with improved state management.
Impact: Recovery of content a user believed was permanently deleted — sensitive in personal, legal, or corporate contexts.
Patch Recommendation
All iOS and iPadOS users should update to 26.4 immediately. Users on older hardware should apply the 18.7.5 update without delay — the Mail privacy bypass and deleted notes disclosure in particular are low-friction findings with real-world privacy consequences. macOS Tahoe 26.4 should be prioritized in managed environments given its 75+ fix count spanning kernel, WebKit, and open-source dependencies.
