Apple has patched six critical WebKit vulnerabilities in iOS 26.1 and iPadOS 26.1, with all six flaws discovered by Google's AI-powered Big Sleep security research project—marking a significant milestone in automated vulnerability detection.
Released on November 3, 2025, the update addresses memory corruption issues that could allow malicious websites to crash Safari or compromise system stability. The vulnerabilities, tracked as CVE-2025-43430, CVE-2025-43434, CVE-2025-43433, CVE-2025-43431, CVE-2025-43429, and CVE-2025-43421, all stem from WebKit—the browser engine powering Safari and web content across Apple devices.
The discovered flaws represent various weaknesses in memory handling. Several use-after-free bugs (where memory is accessed after being freed) and buffer overflow issues (where data exceeds allocated memory boundaries) could lead to unexpected process crashes when processing maliciously crafted web content. One particularly concerning vulnerability could enable memory corruption, potentially allowing attackers to execute arbitrary code.
Google Big Sleep, an AI-driven security initiative, has demonstrated the growing capability of machine learning in identifying complex security flaws that might evade traditional testing methods. The concentration of six related discoveries in a single update highlights both the thoroughness of AI-assisted research and the complexity of browser security.
The update affects iPhone 11 and later models, as well as iPad Pro, iPad Air, and iPad mini devices from recent generations. Beyond the WebKit fixes, iOS 26.1 patches 50+ vulnerabilities across system components, including issues affecting privacy, sandbox escapes, and stolen device protection.
What Users Should Do: iPhone and iPad users should immediately update to iOS 26.1 or iPadOS 26.1 by going to Settings → General → Software Update. The update also addresses privacy concerns, including the potential for apps to monitor keystrokes and access sensitive data without proper authorization.
With browser vulnerabilities representing a primary attack vector for device compromise, keeping iOS up to date remains critical for maintaining device security and protecting personal information from exploitation.