Security News ZDI: The June 2026 Apple Security Update Review

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,838
6
83,249
8,389
55
The Netherlands
We’re back with our look at the Apple macOS and iOS security updates. As this is a new feature for us, please let us know your feedback on the blog.

For Jun 2026, Apple released 37 unique CVEs across iOS 26.5.2 / iPadOS 26.5.2, macOS Tahoe 26.5.2, Safari 26.5.2. Since Apple doesn’t provide CVSS scores or other severity information, we’re left to speculate on which of these bugs is the most severe. The overwhelming majority (31 of 37) are WebKit/WebRTC bugs reachable through malicious web content. Most of those are crash/DoS bugs rather than code execution, so the real risk lives in the small set of kernel bugs and the handful of WebKit sandbox escapes. However, there are a couple that stand out.

- CVE-2026-43724 (Kernel) – According to Apple, “An app may be able to cause unexpected system termination or write kernel memory.” A kernel memory write is the highest-value primitive here: it's the privilege-escalation half of a full exploit chain and leads to complete device control. The bug was credited to Hyunwoo Kim (@v4bel), who is known to be a serious kernel researcher.

- CVE-2026-39868 (Kernel) – Another kernel bug, this one could “cause unexpected system termination or corrupt kernel memory.” This is kernel memory corruption, and notably credited to a roster of elite offensive researchers (STAR Labs, Positive Technologies, Baidu Security). This kind of attribution usually signals a weaponizable, possibly Pwn2Own-grade bug rather than a theoretical crash.

- CVE-2026-43725 / CVE-2026-43701 (WebKit) – Apple states these bugs could allow a website to process restricted web content outside the sandbox. I'm flagging this sandbox-escape pair over the many WebKit crash bugs because a sandbox escape is the bridge that turns a web-content bug into a path toward the kernel issues above. It's the most dangerous remotely-triggered class in the release.
 
The ZDI write-up is generally framing the risk the same way most exploit devs do: the “interesting” bugs are the ones that can be chained (remote entry → sandbox escape → kernel privesc), while the bulk of WebKit crash/DoS CVEs are usually less impactful on their own.

That said, it’s important to keep one limitation in mind: Apple’s advisories typically don’t publish CVSS or detailed exploitation conditions, so any “most severe” ranking is still an informed guess unless there’s public technical detail or exploitation-in-the-wild notes.

How to interpret what ZDI highlighted
  • Kernel memory write / corruption (like the descriptions quoted for CVE-2026-43724 / CVE-2026-39868) is the kind of primitive attackers want for privilege escalation. If it’s reachable from an already-compromised context (e.g., after a WebKit RCE or a malicious app), it can be the step that turns a partial compromise into full device control.
  • WebKit “sandbox escape” is often the “bridge” in real-world chains because modern browser sandboxes block direct access to higher-privilege parts of the OS. So even without a confirmed RCE in the same release, sandbox escapes are worth treating as high priority.
  • Attribution to well-known researchers/teams can correlate with higher-quality findings, but it doesn’t prove exploitability in your threat model. Some bugs are still very hard to weaponize reliably.

Practical takeaway for typical users and admins
  • Treat this as a patch-now release, especially if the device regularly browses the web or opens untrusted links/content.
  • Update everything in the chain: iOS/iPadOS, macOS, and Safari (and any Rapid Security Responses, if applicable). Mixing “OS updated but Safari not” (or vice versa) is a common gap.
  • Enable automatic updates where possible so point releases like this don’t lag.
  • If you’re in a higher-risk profile (journalism, activism, targeted corporate roles), consider Lockdown Mode on iOS/iPadOS and stricter browsing hygiene until patches are deployed everywhere.

What I would not conclude from the blog alone
  • That these specific CVEs are definitely “Pwn2Own-grade” or actively exploited. Without Apple noting active exploitation, public PoCs, or third-party telemetry, that part remains speculative.
  • That the other WebKit CVEs are “safe to ignore.” Even crash bugs can sometimes be starting points, and advisories don’t always convey full exploit potential.

If you’re posting this for the thread’s main point (prioritization), the best defensible guidance is: prioritize updates broadly, with extra urgency on devices exposed to untrusted web content, because the combination of WebKit sandbox escapes plus kernel memory corruption is exactly the kind of pattern that can support real exploit chains.

Sources