Apple's iOS 26.4 security update addresses over 35 vulnerabilities, including a critical bypass of Stolen Device Protection and Keychain access flaws that could compromise device security.
Apple has released iOS 26.4 with a substantial security update that patches over 35 vulnerabilities, including several critical flaws that could have serious implications for user privacy and device security. The update, which followed a beta period, addresses vulnerabilities ranging from local privilege escalation to sandbox escapes, with several issues standing out as particularly concerning.
Stolen Device Protection Bypass: The Most Critical Vulnerability
The most alarming vulnerability in this release is CVE-2026-28895, which allowed attackers with physical access to bypass biometrically protected apps using only the device's passcode, even when Stolen Device Protection was enabled. This vulnerability fundamentally undermined the core premise of Apple's anti-theft feature.
Stolen Device Protection, introduced to prevent thieves from accessing sensitive data and performing security-critical operations even if they obtain your passcode, could be circumvented through this flaw. Apps that users had configured to require Face ID or Touch ID through the 'Require Face ID' option could still be accessed using just the passcode.
The vulnerability is particularly concerning because Apple recently enabled Stolen Device Protection by default in iOS 26.4, making this bypass potentially affect a much wider user base. The fix involved improved permission checks, and Apple has confirmed the issue is now patched. Users who rely on Stolen Device Protection for peace of mind should update immediately.
Keychain Access Vulnerability: Local Privilege Escalation
Another significant vulnerability, CVE-2026-28864, involved insufficient permissions checking that could allow a local attacker to gain access to Keychain items. The Keychain stores sensitive information including passwords, encryption keys, tokens, and other credentials that users rely on for secure authentication across apps and services.
While this vulnerability requires physical access to the device, it represents a serious local privilege escalation that could compromise the security of stored credentials. This type of flaw is particularly dangerous in scenarios where Stolen Device Protection is designed to provide protection, creating a concerning overlap with the Stolen Device Protection bypass vulnerability.
Mail Privacy Settings Failure
CVE-2026-20692 revealed that Mail privacy features may not have been functioning as intended. Specifically, the "Hide IP Address" and "Block All Remote Content" settings in the Mail app may not have applied to all mail content, potentially exposing users' IP addresses to senders and allowing remote content to load despite these privacy protections being enabled.
The silent failure of these privacy features is particularly troubling because users had no indication that their settings weren't working as expected. This type of vulnerability undermines user trust in privacy controls and could have exposed sensitive metadata without users' knowledge.
Sandbox Escape Through Printing Framework
CVE-2026-20688 allowed applications to break out of their sandbox via a path handling issue in the Printing framework, which is part of AirPrint functionality for wireless printing. Sandbox escapes are always significant because they remove one of the fundamental security boundaries that protect iOS devices.
Once an application escapes the sandbox, it gains access to system resources and data that would normally be restricted, significantly expanding the potential attack surface. This type of vulnerability is often a critical component in exploit chains, where attackers combine multiple vulnerabilities to achieve their objectives.
Web Browser Security Issues
The update also addresses seven CVEs related to web browser security, including a Same Origin Policy bypass (CVE-2026-20643), a Content Security Policy bypass (CVE-2026-20665), and a particularly concerning bug (CVE-2026-28859) that allowed malicious websites to process restricted web content outside the sandbox.
These web-related vulnerabilities could have enabled various forms of cross-site scripting attacks, data exfiltration, and other web-based threats that compromise user privacy and security while browsing.
Update Recommendation
While Apple states that none of these vulnerabilities are known to have been actively exploited in the wild, the severity of several issues makes this update particularly important. The combination of a Stolen Device Protection bypass, Keychain access vulnerabilities, and silent privacy feature failures represents a significant security concern that warrants immediate attention.
Users should update to iOS 26.4 on all their devices as soon as possible. The update is available for iPhone, iPad, Mac, and Apple TV devices. You can find the complete list of security patches for all Apple platforms on Apple's security releases page.
The iOS 26.4 update demonstrates Apple's continued commitment to addressing security vulnerabilities, but also highlights the complex challenges of maintaining security in an increasingly connected ecosystem. As attackers develop more sophisticated techniques, the importance of timely security updates becomes even more critical for protecting user data and privacy.
Comments
Please log in or register to join the discussion