iOS 26.5 Ships Encrypted RCS to All Big Three US Carriers

Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from Apple’s newsroom, Apple’s developer and security-content documentation, MacRumors, 9to5Mac, MacStories, and AppleInsider.

Apple shipped iOS 26.5 and iPadOS 26.5 on Monday, May 11, 2026, alongside watchOS 26.5, tvOS 26.5, visionOS 26.5, and macOS Tahoe 26.5. As a point release this late in the iOS 26 cycle, it is a modest feature update. The change worth noting is the one users will not see in a “What’s New” screen: a beta of end-to-end encrypted RCS messaging between iPhone and Android, with the three major US carriers — and 20 of their MVNOs and regionals — supported on day one.

What shipped

End-to-end encrypted RCS in Messages (beta), with a lock icon in supported conversations and encryption on by default.
A Pride Luminance wallpaper with up to 12 color variants.
“Suggested Places” in Maps, plus the groundwork for Apple Maps ads launching this summer.
A precise-time Reminders snooze (“Remind Me at 3:00 PM” instead of “Remind Me Later”).
A new App Store subscription tier: monthly billing with a 12-month commitment.
On iPad: when you plug a Magic Keyboard, Trackpad, or Mouse in over USB-C, iPadOS now auto-pairs it via Bluetooth so the accessory stays connected when the cable is removed.
68 CVEs patched according to Apple’s security-content document.

End-to-end encrypted RCS, finally

RCS itself shipped on iPhone with iOS 18 in late 2024, but the original SMS-replacement implementation was unencrypted. iOS 26.5 raises that to parity with iMessage for cross-platform chats, using the GSMA’s Universal Profile 3.0 specification — the standard that adopted IETF’s Messaging Layer Security as the encryption baseline. Both ends of a conversation have to be on carriers that support Universal Profile 3.0, and the Android side has to be on a recent version of Google Messages.

Apple’s framing is careful. The newsroom post calls this a beta that will “automatically be enabled over time for new and existing RCS conversations,” and reminds readers that “iMessage was built with privacy in mind and has always been end-to-end encrypted. It remains the best way to communicate between Apple devices.” Translation: encrypted RCS is for iPhone-to-Android. Apple-to-Apple traffic stays on iMessage and is unaffected.

US carrier support

The interesting practical detail is the carrier list. The Big Three — AT&T, T-Mobile, and Verizon — are all in at launch, along with FirstNet (AT&T’s public-safety network) and US Cellular. Most of the MVNO ecosystem that resells those three is also covered, which means most consumer plans qualify out of the gate.

The 23 US carriers Apple lists as supported at launch:

AT&T, Boost Mobile, C Spire, Cellcom Wisconsin, Consumer Cellular, Cox Mobile, Cricket, Family Mobile, FirstNet, Metro by T-Mobile, Mint Mobile, Nex-Tech Wireless, PureTalk, Red Pocket, Spectrum, Strata, T-Mobile, TracFone / Straight Talk, Ultra Mobile, US Cellular, Verizon, Visible, and Xfinity Mobile.

One absence worth noting: Google Fi is not on the list. Fi runs on T-Mobile and US Cellular in the US, both of which are supported, so its eligibility likely follows the underlying network — but it is not explicitly named.

About the download size

iOS 26.5 is a large download relative to what a “minor” version number suggests. One iPhone 16 Pro user posted a 11.6 GB OTA payload, which is in line with what recent 26.x point releases have shipped at: iOS 26.1 ran roughly 13 GB on current-generation hardware in November, and iOS 26.4 drew similar complaints in March. The 26.5 download fits that pattern rather than breaking it.

The explanation outlets gave for the earlier 26.x point releases applies again here. Apple ships one combined OS package that contains device-specific drivers, firmware, and on-device-intelligence assets for every supported iPhone generation, plus translation packs and Apple Intelligence model files that have grown across the 26 cycle. Coming from a beta or RC build can compound the size further by triggering a full system-file replacement instead of a delta.

For an IT team managing a fleet, the operational impact is the same as for the last three point releases: plan for the over-the-air payload, not for what the version number implies. On Wi-Fi with the phone on charge, the install is uneventful — but anyone updating off a tethered hotspot is going to notice.

Security

The Apple security-content document for 26.5 lists 68 CVEs across both iOS and iPadOS, with none flagged as known to be actively exploited. The fixes span the usual surface area: ten or so WebKit memory-safety bugs, several kernel issues (including a privilege-escalation chain via authorization bypass), IOKit use-after-free, a handful of privacy bypasses in Visual Intelligence, Status Bar, and WidgetKit, and two Content Security Policy bypass fixes in WebKit. The legacy device branches also got updates the same day: iOS 18.7.9, 16.7.16, 15.8.8, and iPadOS 17.7.11.

Bottom line

The interesting change is encrypted RCS. After a year and a half of cross-platform RCS being demonstrably insecure relative to the iMessage and Signal traffic on the same device, the privacy gap between green and blue bubbles narrows substantially today — at least for the half of US users whose contacts run a recent Google Messages on a UP 3.0 carrier.

For IT teams, the meaningful takeaway is the security count and the size: 68 CVEs are worth the patch cycle, and an 11 GB OTA on the BYOD fleet is the new normal for an iOS point release, not an anomaly.