Apple Patches Over 140 Vulnerabilities Across macOS, iOS, iPadOS, and tvOS in March 2026 Security Updates

On March 24, 2026, Apple released security updates spanning iOS 26.4, iPadOS 26.4, iOS 18.7.7, iPadOS 18.7.7, macOS Tahoe 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and tvOS 26.4.

Collectively, these updates patch over 140 security vulnerabilities across the Kernel, WebKit, Audio, CoreMedia, CoreServices, Printing, Spotlight, SMB, NetAuth, CUPS, and many other components. None of the flaws are confirmed as actively exploited in the wild, the updates include several high-severity issues like use-after-free and memory corruption flaws in the Kernel that could allow apps to write kernel memory or cause system termination, multiple sandbox escape vectors, and WebKit vulnerabilities enabling cross-site scripting and Same Origin Policy bypasses.

Vulnerabilities Affecting All Platforms (iOS, iPadOS, macOS, tvOS)

• CVE-2026-28865 - Authentication flaw in 802.1X allowing network traffic interception by a privileged attacker
• CVE-2026-28879 - Use-after-free in Audio triggered by maliciously crafted web content, causing unexpected process crash
• CVE-2026-28822 - Type confusion in Audio allowing unexpected app termination
• CVE-2026-20690 - Out-of-bounds access in CoreMedia via maliciously crafted media files, causing process termination
• CVE-2026-28886 - Null pointer dereference in CoreUtils allowing denial-of-service by a privileged network attacker
• CVE-2026-28878 - Privacy issue in Crash Reporter allowing apps to enumerate installed apps
• CVE-2025-14524 - Open-source curl vulnerability that may result in sending sensitive information via an incorrect connection
• CVE-2025-64505 - Open-source ImageIO vulnerability leading to unexpected app termination
• CVE-2026-28867 - Authentication issue in Kernel allowing apps to leak sensitive kernel state
• CVE-2026-20698 - Memory handling issue in Kernel allowing apps to corrupt kernel memory or cause system termination
• CVE-2026-20687 - Use-after-free in Kernel allowing apps to cause system termination or write kernel memory
• CVE-2026-28852 - Stack overflow in UIFoundation allowing apps to cause a denial-of-service
• CVE-2026-20665 - State management issue in WebKit allowing Content Security Policy bypass
• CVE-2026-28859 - Memory handling issue in WebKit allowing malicious websites to process content outside the sandbox

iOS 26.4 and iPadOS 26.4

Includes all vulnerabilities listed above, plus:

• CVE-2026-28877 - Authorization issue in Accounts allowing apps to access sensitive user data
• CVE-2026-28895 - Physical access flaw in App Protection allowing bypass of biometrics-gated Protected Apps with a passcode on devices with Stolen Device Protection enabled (iPhone 11 and later only)
• CVE-2026-28874 - Baseband flaw allowing a remote attacker to cause unexpected app termination
• CVE-2026-28875 - Buffer overflow in Baseband enabling remote denial-of-service (iPhone 16e only)
• CVE-2026-28894 - Denial-of-service issue in Calling Framework via remote attacker
• CVE-2026-28866 - Symlink validation issue in Clipboard allowing apps to access sensitive user data
• CVE-2026-28876 - Path validation issue in DeviceLink allowing apps to access sensitive user data
• CVE-2026-28870 - Information leakage in GeoServices allowing apps to access sensitive user data
• CVE-2026-28880 / CVE-2026-28833 - Permissions issues in iCloud allowing apps to enumerate installed apps
• CVE-2026-28868 - Logging issue in Kernel allowing apps to disclose kernel memory
• CVE-2026-28882 - Issue in libxpc allowing apps to enumerate installed apps
• CVE-2026-20692 - Privacy flaw in Mail where "Hide IP Address" and "Block All Remote Content" may not apply to all mail content
• CVE-2026-20688 - Path handling issue in Printing enabling sandbox escape
• CVE-2026-28863 - Permissions issue in Sandbox Profiles allowing user fingerprinting
• CVE-2026-28864 - Permissions issue in Security allowing a local attacker to access Keychain items
• CVE-2026-28856 - Authentication issue in Siri allowing physical access to sensitive information on a locked device
• CVE-2026-28858 - Buffer overflow in Telephony allowing a remote user to corrupt kernel memory or cause system termination
• CVE-2026-20643 - Cross-origin issue in WebKit Navigation API allowing Same Origin Policy bypass
• CVE-2026-28871 - Logic issue in WebKit enabling cross-site scripting attacks
• CVE-2026-20664 / CVE-2026-28857 - Memory handling issues in WebKit causing unexpected process crashes
• CVE-2026-28861 - Logic issue in WebKit allowing malicious websites to access script message handlers from other origins
• CVE-2026-20691 - Authorization issue in WebKit Sandboxing allowing user fingerprinting

iOS 18.7.7 and iPadOS 18.7.7 (Older Devices)

Available for iPhone XS, iPhone XS Max, iPhone XR, and iPad 7th generation. Includes shared fixes listed above where applicable, plus:

• CVE-2026-20637 - Use-after-free in AppleKeyStore allowing apps to cause unexpected system termination
• CVE-2026-20668 - Logging issue in Focus allowing apps to access sensitive user data
• CVE-2025-43534 - Path handling issue in iTunes Store allowing physical access bypass of Activation Lock
• CVE-2026-20657 - Memory handling issue in Vision allowing unexpected app termination from maliciously crafted files
• CVE-2025-43376 - Logic issue in WebKit allowing leaked DNS queries with Private Relay turned on

macOS Tahoe 26.4

Includes all shared vulnerabilities listed above, plus:

• CVE-2026-28823 - Path handling issue in Admin Framework allowing apps with root privileges to delete protected system files
• CVE-2025-55753 / CVE-2025-58098 / CVE-2025-59775 / CVE-2025-65082 / CVE-2025-66200 - Multiple vulnerabilities in the bundled Apache web server
• CVE-2026-20637 - Use-after-free in AppleKeyStore allowing apps to cause unexpected system termination
• CVE-2026-28824 - Authorization issue in AppleMobileFileIntegrity allowing apps to access sensitive user data
• CVE-2026-20699 - Downgrade issue in AppleMobileFileIntegrity affecting Intel-based Macs, allowing access to sensitive data
• CVE-2026-20684 - Permissions issue in AppleScript allowing apps to bypass Gatekeeper checks
• CVE-2026-20633 - Symlink handling issue in Archive Utility allowing access to sensitive data
• CVE-2026-28821 - Entitlement verification flaw in CoreServices enabling privilege escalation
• CVE-2026-28838 - Permissions issue in CoreServices enabling sandbox escape
• CVE-2026-28888 - Race condition in CUPS allowing apps to gain root privileges
• CVE-2026-28893 - Privacy issue in CUPS where print preview writes documents to a temporary file
• CVE-2026-28892 - Permissions issue in Diagnostics allowing apps to modify protected parts of the file system
• CVE-2026-28832 - Out-of-bounds read in File System allowing kernel memory disclosure
• CVE-2026-28834 - Race condition in GPU Drivers allowing unexpected system termination
• CVE-2026-28881 - Privacy issue in iCloud allowing apps to access sensitive user data
• CVE-2026-28842 / CVE-2026-28841 - Buffer overflow issues in IOGraphics leading to memory corruption and unexpected app termination
• CVE-2026-20695 - Information disclosure in Kernel allowing apps to determine kernel memory layout
• CVE-2026-28845 - Authorization issue in LaunchServices allowing apps to access protected user data
• CVE-2026-20607 - Permissions issue in libxpc allowing apps to access protected user data
• CVE-2026-20694 - Symlink handling issue in MigrationKit allowing access to sensitive data
• CVE-2026-20632 - Path validation issue in Music allowing apps to access sensitive user data
• CVE-2026-28839 - Issue in NetAuth allowing apps to access sensitive user data
• CVE-2026-20701 - Access issue in NetAuth allowing apps to connect to a network share without user consent
• CVE-2026-28891 - Race condition in NetAuth enabling sandbox escape
• CVE-2026-28827 - Path validation issue in NetFSFramework enabling sandbox escape
• CVE-2026-28816 - Path handling issue in Notes allowing apps to delete files without permission
• CVE-2026-28826 - Logic issue in NSColorPanel allowing malicious apps to break out of the sandbox (Tahoe only)
• CVE-2026-20631 - Logic issue in PackageKit allowing user privilege escalation
• CVE-2026-20693 - Issue in PackageKit allowing root-privileged attackers to delete protected system files
• CVE-2026-28862 - Privacy issue in Phone allowing apps to access sensitive data via log entries
• CVE-2026-28831 - Authorization issue in Printing allowing apps to access sensitive user data
• CVE-2026-28817 - Race condition in Printing allowing sandboxed processes to circumvent sandbox restrictions
• CVE-2026-28835 - Use-after-free in SMB triggered by mounting a malicious network share leading to system termination
• CVE-2026-28825 - Out-of-bounds write in SMB enabling modification of protected file system areas
• CVE-2026-28818 / CVE-2026-20697 - Logging and permissions issues in Spotlight allowing apps to access sensitive user data
• CVE-2026-28820 - Issue in StorageKit allowing apps to access sensitive user data
• CVE-2026-28837 - Logic issue in System Settings allowing apps to access sensitive user data
• CVE-2026-28844 - File access issue in SystemMigration allowing attackers to access protected parts of the file system
• CVE-2026-28828 - Permissions issue in TCC allowing apps to access sensitive user data
• CVE-2026-28829 - Permissions issue in WebDAV allowing apps to modify protected parts of the file system

macOS Sequoia 15.7.5

Includes most shared and macOS-common vulnerabilities listed above. Additional or platform-specific fixes:

• CVE-2026-20660 - Path handling issue in CFNetwork allowing a remote user to write arbitrary files
• CVE-2026-20639 - Integer overflow in configd leading to heap corruption from a maliciously crafted string
• CVE-2026-20668 - Logging issue in Focus allowing apps to access sensitive user data
• CVE-2026-20651 - Privacy issue in Messages allowing apps to access sensitive user data
• CVE-2026-20657 - Memory handling issue in Vision allowing unexpected app termination from maliciously crafted files

Note: macOS Sequoia 15.7.5 does not include fixes for IOGraphics, NSColorPanel, StorageKit, System Settings, SystemMigration, or the iCloud sensitive data issue (CVE-2026-28881) that are specific to macOS Tahoe 26.4.

macOS Sonoma 14.8.5

Includes most shared and macOS-common vulnerabilities. Additional or platform-specific fixes:

• CVE-2026-20639 - Integer overflow in configd leading to heap corruption from a maliciously crafted string
• CVE-2026-20668 - Logging issue in Focus allowing apps to access sensitive user data
• CVE-2026-20657 - Memory handling issue in Vision allowing unexpected app termination from maliciously crafted files

Note: macOS Sonoma 14.8.5 does not include WebKit updates, IOGraphics fixes, NSColorPanel, StorageKit, System Settings, SystemMigration, or several other Tahoe-specific fixes. It also does not include the Kernel memory disclosure fix (CVE-2026-28868) or the Kernel system termination fix (CVE-2026-20698) present in Tahoe and Sequoia.

tvOS 26.4

Available for Apple TV HD and Apple TV 4K (all models). Includes shared vulnerabilities listed above, plus:

• CVE-2026-28870 - Information leakage in GeoServices allowing apps to access sensitive user data
• CVE-2026-28882 - Issue in libxpc allowing apps to enumerate installed apps
• CVE-2026-28863 - Permissions issue in Sandbox Profiles allowing user fingerprinting

Devices that can be updated to iOS 26.4 and iPadOS 26.4 are iPhone 11 and later, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later). Users on iPhone XS, iPhone XS Max, iPhone XR, and iPad 7th generation should update to iOS 18.7.7 and iPadOS 18.7.7. Mac users should update to macOS Tahoe 26.4, macOS Sequoia 15.7.5, or macOS Sonoma 14.8.5 depending on their installed version. Apple TV HD and Apple TV 4K users should update to tvOS 26.4.

Apple strongly advises all users to update their devices immediately to the latest available software versions.