The four vulnerabilities are part of nearly 30 vulnerabilities that have been patched in WebKit, an open-source web browser engine developed by Apple. Others include a use-after-free issue in WebKit Canvas (CVE-2026–43720) and a vulnerability that could be exploited by a malicious website to process restricted web content outside the sandbox (CVE-2026–43725).

Apple has also remediated three bugs that could be exploited by a malicious app to leak sensitive kernel state (CVE-2026–43722), cause unexpected system termination or write kernel memory (CVE-2026–43724), or corrupt kernel memory (CVE-2026–39868). Security researcher Hyunwoo Kim, who discovered Dirty Frag, has been credited with discovering and reporting CVE-2026–43724 and CVE-2026–43722.

The updates are available for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2. None of the patched vulnerabilities has been disclosed as actively exploited in the wild.