Apple’s Mega Patch: Over 100 Security Fixes Signal New Urgency Around iPhone and Mac Defenses

Apple just dropped one of its largest security updates in years — and while the company insists no vulnerabilities are under active attack, the scale of the release tells a different story about the growing complexity of its ecosystem.

Across its major platforms, Apple patched an eye-popping 105 vulnerabilities in macOS 26.1, 56 in iOS and iPadOS 26.1, 43 in visionOS, 32 in watchOS, and 21 in Safari, along with two in Xcode. The cumulative list reads like a blueprint of where Apple’s hardware and software converge — and where attackers are increasingly probing for weak spots.

Researchers Push for Transparency

Apple’s minimalist disclosure approach once again drew sharp criticism from the security community. The company continues to eschew the Common Vulnerability Scoring System (CVSS) and offers only terse technical notes without context or impact ratings.

“As always, I get frustrated when reading Apple updates as they don’t provide any severity rating,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “I understand not wanting to use CVSS, but if they would at least call out the critical and high-severity bugs, it would be greatly appreciated.”

Apple’s reluctance to spell out severity leaves defenders guessing which flaws pose the greatest risk, complicating patch prioritization across enterprise environments — particularly for organizations managing fleets of Apple devices alongside Windows and Android systems.

Spotlight on WebKit and the Neural Engine

Much of the attention this cycle falls on WebKit, the open-source browser engine that powers Safari and underpins apps across iOS, macOS, and visionOS. Seven WebKit bugs could lead to crashes or arbitrary code execution from malicious web content — a long-running Achilles’ heel for Apple platforms and a favorite target of spyware operators.

Another standout is a vulnerability in the Apple Neural Engine (ANE), which could cause kernel memory corruption. The ANE accelerates AI and machine learning workloads — meaning flaws here could impact not just stability but also data integrity in AI-driven apps.

“iOS 26.1 is a significant update containing 56 security fixes; therefore, users shouldn’t delay updating their iPhones,” said Adam Boynton, Senior Security Strategy Manager at Jamf. “Notably, Apple has fixed a vulnerability in the Apple Neural Engine, which could cause corrupt kernel memory.”

Boynton warned that CVE-2025-43455 — allowing malicious apps to capture screenshots of embedded views — could expose sensitive data such as passwords or financial information. He also pointed to a Stolen Device Protection flaw that, while requiring physical access, could let an attacker disable safeguards on a stolen iPhone.

A Shift Toward “Always-On” Security

Perhaps the most consequential change isn’t a fix, but a feature. iOS 26.1 introduces Background Security Release, a new system designed to deliver critical patches automatically between full software updates. The move acknowledges one of Apple’s persistent security challenges: millions of users running outdated iOS versions for months at a time.

“Automatically installing security patches should help address this issue by placing less responsibility on the user,” Boynton added. “We recommend all users turn on this feature.”

The Bigger Picture

So far this year, Apple has disclosed five zero-days that were actively exploited, and the Cybersecurity and Infrastructure Security Agency (CISA) has added eight Apple vulnerabilities to its known exploited catalog. That’s a slower pace than 2023 — but with this week’s deluge of patches, the company seems to be shoring up its defenses before the next storm hits.

The message from security pros is clear: update now, and keep automatic patching on. In the age of AI-enhanced exploits and cross-platform attacks, even the world’s most valuable company can’t afford to leave its defenses static.