Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major technology and security news organizations.
Apple released iOS 26.4 on March 24, patching 37 security vulnerabilities across the iPhone. No zero-days this time — a welcome change after iOS 26.3’s actively exploited spyware chain in February. But “no active exploitation” doesn’t mean “nothing to worry about.” Several of these flaws are serious enough that the security community is urging immediate updates anyway.
The Ironic One: Stolen Device Protection Bypass
The most notable fix is CVE-2026-28895, a flaw in App Protection that allowed someone with physical access to bypass biometrically protected apps using only the device passcode — even with Stolen Device Protection enabled. The whole point of Stolen Device Protection is to make a stolen iPhone useless even if the thief has the passcode. This vulnerability undermined that guarantee.
The irony: iOS 26.4 simultaneously enables Stolen Device Protection by default for all iPhones. Previously it was opt-in. So Apple is turning the feature on for everyone while quietly patching a bypass that let attackers walk right through it.
Keychain and Kernel Flaws
CVE-2026-28864 gave local attackers access to Keychain items — passwords, encryption keys, authentication tokens — due to insufficient permission checks. If you’re wondering what the worst single vulnerability in a mobile OS looks like, unauthorized Keychain access is a strong candidate.
Two kernel vulnerabilities (CVE-2026-20698 and CVE-2026-20687) allowed unexpected system termination or kernel memory writes through memory handling issues. A senior enterprise strategy manager at Jamf noted these “create a path for an attacker to escalate privileges and gain complete control of the affected device.” Kernel bugs are the building blocks of exploit chains — the kind of flaws that get chained with a sandbox escape to achieve full device compromise.
The Full Patch Breakdown
| Component | CVEs | Highlights |
|---|---|---|
| WebKit | 7 | Same Origin Policy bypass, CSP bypass, sandbox escape, multiple crashes |
| Kernel | 2 | Memory corruption, use-after-free leading to privilege escalation |
| Baseband | 2 | Buffer overflow and improper checks in cellular modem |
| Audio | 2 | Use-after-free (credited to Google), type confusion |
| Security | 1 | Keychain access bypass |
| App Protection | 1 | Stolen Device Protection bypass |
| 1 | “Hide IP Address” and “Block All Remote Content” settings didn’t always apply | |
| Printing | 1 | AirPrint sandbox escape via path handling |
| 802.1X | 1 | Authentication bypass (credited to Mathy Vanhoef of KRACK fame) |
| Other | 17+ | Clipboard, Crash Reporter, Siri, curl, ImageIO, and more |
The Mail vulnerability (CVE-2026-20692) is particularly sneaky: if you had “Hide IP Address” or “Block All Remote Content” enabled in Mail settings, those protections may not have applied to all messages. Your IP address could have been exposed to senders despite your privacy settings saying otherwise.
The 802.1X authentication bypass (CVE-2026-28865) was found by Mathy Vanhoef at KU Leuven — the researcher who discovered the KRACK Wi-Fi attack. When Vanhoef finds something in your authentication stack, it tends to be worth paying attention to.
Beyond Security: New Features
iOS 26.4 isn’t just a security patch. Apple Music gets Playlist Playground, an AI-powered feature that generates playlists from text descriptions. There’s also offline music recognition via Control Center, concerts discovery for artists in your library, and an ambient music widget for the Home Screen.
Eight new emoji arrive, including an orca, a trombone, and a landslide. Accessibility improvements reduce bright flashes when tapping buttons and make subtitle settings easier to reach. And Purchase Sharing changes mean adult family members now use their own payment method instead of the organizer’s.
The Broader Apple Patch Wave
iOS 26.4 was part of Apple’s largest coordinated update cycle this year. Every platform shipped on March 24:
| OS | Version | Patches |
|---|---|---|
| macOS Tahoe | 26.4 | 68 CVEs |
| iPadOS | 26.4 | 37 CVEs |
| watchOS | 26.4 | Multiple |
| tvOS | 26.4 | Multiple |
| visionOS | 26.4 | Multiple |
| iOS (legacy) | 18.7.7 | ~24 CVEs |
The SANS Internet Storm Center counted approximately 85 unique vulnerabilities across all platforms. macOS Tahoe alone addressed 68 CVEs across 48 components.
Update Now
No zero-days means less urgency than February’s spyware chain, but the Keychain access flaw and Stolen Device Protection bypass are serious enough on their own. Go to Settings > General > Software Update. iOS 26.4 supports all iPhones with an A13 chip or newer — iPhone 11 and later, plus iPhone SE (2nd generation and later).
Sources
- Apple Support - Security content of iOS 26.4 and iPadOS 26.4
- 9to5Mac - Security Bite: What stands out in the iOS 26.4 security release notes
- MacRumors - Apple Releases iOS 26.4 and iPadOS 26.4
- SANS ISC - Apple Patches (almost) everything again. March 2026 edition
- SecurityWeek - iOS, macOS 26.4 Roll Out With Fresh Security Updates
- TechCrunch - Apple made strides with iOS 26 security, but leaked hacking tools still leave millions exposed