Skip to main content
TechnologyJun 30, 2026· 2 min read

macOS Tahoe 26.5.2 Released: No New Features, But Fixes Over 30 Security Flaws

Apple has released macOS Tahoe 26.5.2, an update that includes security fixes already tested in the beta of macOS Tahoe 26.6. The package addresses over 30 vulnerabilities, spread across kernel components and the WebKit rendering engine.

Among the most serious bugs is CVE-2026-43722, a flaw in the kernel that allows an app to read sensitive state reserved for the system. In the same component, CVE-2026-43724 allows, under certain conditions, direct writing to kernel memory: the combination of these two issues theoretically opens scenarios for privilege escalation that are far from theoretical. Apple has resolved both with stricter input sanitization.

The situation is no better on the IOGPUFamily front, where a race condition (CVE-2026-43743) could cause the system to crash unexpectedly. The same fate applies to two bugs in libxslt (CVE-2026-43706 and CVE-2026-43703), both double-free vulnerabilities capable of crashing processes while processing malicious web content.

The bulk of the interventions concerns WebKit, the engine behind Safari: the list includes dozens of CVEs, mostly use-after-free and memory management issues that can lead to browser crashes or, in more severe cases, exploitable memory corruption. The issues that deserve more attention are those linked to data exfiltration. CVE-2026-43735 and CVE-2026-43708 both describe scenarios in which a malicious site can steal cross-origin data, bypassing barriers that should isolate one domain from another. CVE-2026-43700 concerns a security origin tracking issue that can lead to the disclosure of private user information during browsing.

A special case is CVE-2026-43721 related to WebKit Storage: a site can exploit it to silently hijack the content of the system clipboard, without the user noticing. Apple fixed this by enhancing application state management.

The update also touches the WebRTC module, where three distinct vulnerabilities (including CVE-2026-43717 and CVE-2026-43718) could lead to Safari crashes while processing crafted web content, in one case through a stack overflow. On the extensions front, CVE-2026-43704 addresses a flaw that allowed a malicious extension to crash the browser process by exploiting a use-after-free issue.

Among the researchers mentioned in the acknowledgments are several well-known names in the security field, as well as teams from companies like STAR Labs, Baidu Security, and Positive Technologies. Also noted is a contribution from the OpenAI Codex security team, confirming that the bug-hunting in WebKit now involves entities outside the traditional security world.

The package affects only systems on macOS Tahoe: as per usual practice, Apple does not provide additional technical details about the vulnerabilities until the fixes are widely distributed. The update is available immediately through System Preferences in the software update section. Given the number of WebKit-related flaws, some of which can be exploited to steal data during normal browsing, installing macOS Tahoe 26.5.2 is considered a priority for those who regularly browse on Mac. In parallel, Apple also released iOS and iPadOS 26.5.2.

LibrePods Reaches v1.0.0-rc1: The Open-Source Project to 'Liberate' AirPods on Linux and AndroidMeta Found a Way to Save Millions: Instead of Buying New RAM, It Recycles Old Ones