Apple released iOS 26.5 and iPadOS 26.5 on May 11, 2026, an update that closes more than 90 security flaws across the system: Kernel, WebKit, ImageIO, IOKit, Networking and several other components. One of them deserves a closer look, CVE-2026-28951, a privilege escalation in the device kernel itself.
What CVE-2026-28951 is
Apple’s advisory describes it as an authorization issue in the kernel that was addressed with improved state management. In plain terms, an app already installed on an iPhone or iPad could, under certain conditions, slip past the system’s permission checks and gain root privileges. The flaw was reported by researcher Csaba Fitzl (@theevilbit), who has a long track record in Apple platform security.
The kernel is the most privileged layer of the system. Once an app runs at that level, it stops being confined by the sandbox that normally keeps each app isolated from the rest of the device, and gains access to memory, files and components that iOS keeps off-limits to ordinary apps.
Who it affects and how serious it is
The flaw affects iPhone and iPad running iOS/iPadOS earlier than 26.5. Apple rates the impact as high: a malicious app that reached the device could use it to break out of its container and take control at the kernel level. The catch is that the attacker already needs code running on the device, either through a seemingly legitimate app or by chaining this bug with an earlier vulnerability.
There is some good news here. Apple reported no active exploitation at the time of publication. This is not a zero-day that attackers were using in the wild, but a flaw found and reported responsibly and patched before any known abuse showed up.
How to protect yourself
The fix is straightforward, update to iOS 26.5 or iPadOS 26.5. You can do it from Settings > General > Software Update. If you have automatic updates turned on, your device is probably already current; check anyway, because this same batch closes other heavy kernel holes, including a memory disclosure issue (CVE-2026-43654), a buffer overflow (CVE-2026-28897) and a kernel memory write (CVE-2026-28972), plus a sizeable set of WebKit flaws that trigger when loading web content.
For company-managed devices, the sensible move is to push the update through MDM as soon as it has been validated, without letting weeks slip by. Kernel root escalations are exactly the kind of piece attackers chain with other bugs to build full exploit chains, so closing the window early makes a real difference.
Source
- Apple Support — About the security content of iOS 26.5 and iPadOS 26.5: https://support.apple.com/en-us/127110
- NVD — CVE-2026-28951: https://nvd.nist.gov/vuln/detail/CVE-2026-28951