On May 11, alongside the public release of iOS 26.5, Apple shipped a coordinated batch of security updates for every device that cannot run iOS 26. The most substantial is iOS 18.7.9 and iPadOS 18.7.9, which covers more than 50 vulnerabilities on iPhone XS, XS Max, XR, and iPad 7th generation — the most recent models excluded from iOS 26, which requires iPhone 11 or later.
The scope of the updates
Apple updated four distinct release branches simultaneously:
- iOS 18.7.9 and iPadOS 18.7.9: iPhone XS, XS Max, XR; iPad 7th generation. 50+ CVEs addressed.
- iPadOS 17.7.11: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, iPad 6th generation.
- iOS 16.7.16 and iPadOS 16.7.16: iPhone 8, 8 Plus, X; iPad 5th generation and older iPad Pro models.
- iOS 15.8.8 and iPadOS 15.8.8: iPhone 6s, 7, SE 1st generation; iPad Air 2; iPad mini 4th generation; iPod touch 7th generation.
On the Mac side, Apple released macOS Sequoia 15.7.7 and macOS Sonoma 14.8.7 for Macs that don’t support macOS Tahoe 26. Full security details for both were still incomplete at the time of release.
The most critical vulnerabilities in iOS 18.7.9
Fifty-plus CVEs in a secondary branch is notable. The most relevant vulnerabilities hit core operating system components:
CVE-2026-28951 (Kernel): an authorization issue allows an app to gain root privileges. The highest-severity vulnerability in this batch.
CVE-2026-28819 (Wi-Fi): an out-of-bounds write in the Wi-Fi component enables arbitrary code execution with kernel privileges. Exploitability depends on network access or controlling the device’s Wi-Fi session.
CVE-2026-28995 (App Intents): a logic flaw lets a malicious app break out of its sandbox. The same surface is affected in the iOS 26.5 package.
CVE-2026-43668 (mDNSResponder): a use-after-free allows a remote attacker to cause unexpected system termination.
CVE-2026-28972 (Kernel): an out-of-bounds write can cause system termination or kernel memory corruption.
The WebKit CVEs — including CVE-2026-43660, CVE-2026-43659, and CVE-2026-43656 — involve browser process crashes and potential information disclosure through malicious web content. On an iPhone XR or XS still running iOS 18, Safari is the primary attack surface reachable remotely without physical interaction.
One detail worth noting: many of these CVEs share identifiers with vulnerabilities fixed in iOS 26.5. Apple backported the same fixes across both branches, confirming these are issues in shared system component implementations rather than code specific to iOS 26.
Why the iOS 18 installed base still matters
The iPhone XS and XR launched in 2018. They are eight-year-old devices that will never receive iOS 26. But they are still in use — in consumer, enterprise, and MDM contexts where hardware replacement cycles are long — and apps distributed on the App Store still reach them.
From a developer perspective, this update changes nothing at the API or behavioral level. The operational point is different: devices on iOS 18 in the installed base remain exposed to kernel and WebKit vulnerabilities until updated, and not every enterprise environment enforces strict OS update policies.
Teams managing MDM deployments with iOS 18 devices should treat CVE-2026-28951 (kernel root escalation) and CVE-2026-28995 (sandbox escape) as reasons to prioritize this update cycle. No app-level code change is needed — the patch lives in the OS — but deployment planning matters.
The gap with iOS 26.5
iOS 18.7.9 addresses 50+ CVEs. iOS 26.5, released the same day, addresses 90+. The difference reflects diverging codebases: iOS 26 contains features and components that iOS 18 doesn’t have, and some iOS 26.5 vulnerabilities simply have no counterpart in the older version because the affected surfaces don’t exist there. This doesn’t mean iOS 18 is more secure. It means the two branches have increasingly different risk profiles.
For teams with compliance obligations or enterprise device management responsibilities, this update cycle makes the gap visible in concrete terms.
The next thing to watch: whether Apple will maintain the current cadence of iOS 18 security backports as the iOS 27 cycle begins post-WWDC26. The precedent suggests the iOS 18 branch stays active through at least end of 2026, but the gap with the main branch will widen with each cycle.
