On May 11 Apple released the final public versions of iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, Xcode 26.5, tvOS 26.5, watchOS 26.5, and visionOS 26.5. The release candidate had been available since May 4 and reached the public unchanged in substance. The security content, which Apple does not pre-announce, is significant: iOS 26.5 closes more than 90 vulnerabilities.
The security content
A high CVE count in a point release is not by itself a measure of severity — what matters is the type and exploitability of the vulnerabilities. In this case, several are serious at the system level.
CVE-2026-28951 (Kernel): an authorization issue allows an app to gain root privileges. Full privilege escalation, the most critical issue in the package.
CVE-2026-28995 (App Intents): a logic flaw in the App Intents framework lets a malicious app break out of its sandbox, gaining access to resources outside its permitted perimeter.
CVE-2026-28972 (Kernel): an out-of-bounds write that can cause unexpected system termination or write to kernel memory.
CVE-2026-43655 (IOSurfaceAccelerator): an out-of-bounds read that enables kernel memory disclosure. Relevant for apps that use Metal or access IOSurface for rendering.
WebKit (14+ CVEs): three use-after-free vulnerabilities (CVE-2026-28947, CVE-2026-28883, CVE-2026-28942) can cause browser process crashes or information disclosure through malicious web content. WebKit vulnerabilities are the most accessible attack surface remotely — visiting a page controlled by an attacker is enough, with no additional physical access required.
The full package also covers mDNSResponder, ImageIO, APFS, Siri, and App Intents. At 90+ CVEs, it is one of the largest security payloads in a single point release in the iOS 26 cycle.
Xcode 26.5: the new CI baseline
With the public release, Xcode 26.5 becomes the current version for iOS 26 development. App Store Connect has required builds with the iOS 26 SDK or later since April 28 — that deadline was announced and covered earlier. Xcode 26.5 is now the version CI pipelines should be pinned to ahead of the WWDC26 cycle.
Teams using hosted CI runners should verify that their runner images have been updated to Xcode 26.5. GitHub Actions macOS runners typically include the current Xcode release, but availability varies for self-hosted runners and third-party CI providers.
RCS end-to-end encryption: live, rolling out by carrier
The end-to-end encryption for RCS, covered in detail when confirmed with the RC, is now active in production. Rollout depends on carrier adoption: the option appears in Messages settings only when both the iPhone and the Android recipient’s device — and their respective carriers — support RCS Universal Profile 3.0 with the Messaging Layer Security protocol. Carrier coverage varies by region.
Supported devices
iOS 26.5 and iPadOS 26.5 require iPhone 11 or later for iOS, and iPad Pro 12.9-inch 3rd generation or later, iPad Pro 11-inch 1st generation or later, iPad Air 3rd generation or later, iPad 8th generation or later, iPad mini 5th generation or later for iPadOS.
macOS Tahoe 26.5 is available for Macs compatible with macOS Tahoe 26. Older Macs receive macOS Sequoia 15.7.7 or macOS Sonoma 14.8.7 instead.
What to do
For developers, the immediate action is updating test devices and verifying that CI pipelines reference Xcode 26.5. The security content introduces no API breaking changes or behavioral shifts for apps.
For end users, the update is recommended as a priority given the kernel and WebKit CVEs. There are no known active exploits for these vulnerabilities at time of release, but WebKit issues historically move from disclosure to working exploit quickly once technical details become public.
The next thing to watch: the iOS 26.1 beta changelog, which will provide early signals about what changes in the post-WWDC26 cycle. Public iOS 26.1 availability will likely follow the June 8 keynote.
