Apple has released iOS 26.4.2 and iPadOS 26.4.2, urging all users to install the update immediately to address a critical security vulnerability. The company disclosed the flaw, which impacts both iPhones and iPads, in a security advisory issued on Thursday.

The update patches an issue in the device’s kernel, the core component of the operating system. According to Apple, the vulnerability could allow an attacker to execute arbitrary code with elevated privileges, potentially gaining full control of an affected device. The company stated it is aware of reports that the flaw may have been actively exploited in the wild.

Scope of the vulnerability

The security flaw affects a wide range of Apple devices. Eligible models include iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and the 7th generation iPod touch. Apple’s advisory also covers iPad Pro models across all generations.

Security experts have described the vulnerability as severe. Unauthorized code execution at the kernel level gives an attacker near total access to a device’s functions, including the ability to install malicious software, access sensitive data, and modify system settings.

Response and recommendations

Apple has not provided detailed technical information about the exploit, a standard practice to allow users time to update before further details are disclosed. The company recommends that all users upgrade to iOS 26.4.2 or iPadOS 26.4.2 as soon as possible.

Users can check for the update by navigating to Settings, selecting General, and then tapping Software Update. The update is free and available over the air for all compatible devices.

Past security incidents

This is not the first time Apple has faced a critical kernel level vulnerability. The company has previously issued emergency updates for similar exploits, including the infamous “Pegasus” spyware attacks which used zero click exploits to compromise iPhones. Those incidents highlighted the need for rapid patching and user vigilance.

Security researchers often discover kernel flaws through a combination of internal audits and external vulnerability disclosures. Apple’s bug bounty program offers rewards for researchers who report such issues privately, allowing the company to develop patches before exploits are widely used.

Implications for users

For the average user, the primary risk is data theft or device compromise without direct interaction. Attackers could potentially deliver the exploit through compromised websites, malicious applications, or unsecured Wi-Fi networks. Once installed, the payload could operate silently in the background.

Enterprise users face additional concerns. A kernel level compromise could allow attackers to bypass mobile device management controls, exfiltrate corporate data, and move laterally across networks. Organizations using Apple devices for sensitive work should prioritize the update.

The update also addresses several other less severe security issues, including memory corruption bugs in the WebKit browser engine and a logic issue in the Photos framework. Apple has credited multiple researchers for their contributions to the fix.

Update deployment

Rollouts have begun globally. Users in all regions should receive the update notification automatically within 24 hours. For those who have not yet received the notification, manual checking is recommended.

Apple has not provided a timeline for future updates, but security analysts expect another patch cycle within the coming weeks as further vulnerabilities are identified. The company continues to monitor for exploitation reports and will likely issue additional advisories if needed.

Source: Delimiter Online