Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence (AI) tools like Anthropic Claude and OpenAI Codex Security.
The WebKit vulnerabilities are listed below –
- CVE-2026-43707 – A memory corruption issue that could result in an unexpected process crash when processing maliciously crafted web content. It was addressed with improved memory handling.
- CVE-2026-43716 – An unspecified issue that could result in an unexpected Safari crash when processing maliciously crafted web content. It was addressed with improved memory handling.
- CVE-2026-43745 – An out-of-bounds write issue that could result in an unexpected Safari crash when processing maliciously crafted web content. It was addressed with improved input validation.
- CVE-2026-43715 – A use-after-free issue that could result in memory corruption when processing maliciously crafted web content. It was addressed with improved memory management.
The first three security defects have been credited by Apple to OpenAI Codex Security, while Anthropic researchers Milad Nasr and Nicholas Carlini, along with Claude, have been acknowledged for CVE-2026-43715.
The four vulnerabilities are part of nearly 30 vulnerabilities that have been patched in WebKit, an open-source web browser engine developed by Apple. Others include a use-after-free issue in WebKit Canvas (CVE-2026-43720) and a vulnerability that could be exploited by a malicious website to process restricted web content outside the sandbox (CVE-2026-43725).
Apple has also remediated three bugs that could be exploited by a malicious app to leak sensitive kernel state (CVE-2026-43722), cause unexpected system termination or write kernel memory (CVE-2026-43724), or corrupt kernel memory (CVE-2026-39868). Security researcher Hyunwoo Kim, who discovered Dirty Frag, has been credited with discovering and reporting CVE-2026-43724 and CVE-2026-43722.
The updates are available for iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2. None of the patched vulnerabilities has been disclosed as actively exploited in the wild.
In a statement shared with Reuters, Apple said it’s making the security updates much earlier than before in response to concerns that AI tools could accelerate the development of exploits and act as an enabler of cyber warfare, shrinking the window between discovery and weaponization to hours.
The company said “it was adapting to the reality that, given the ability of artificial intelligence to speed the development of malicious hacking tools, it needed to reduce the time between when updates were first made public and when they were put into customers’ hands,” Reuters reported.
