9to5Mac Security Bite is brought to you exclusively Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and secure for the enterprise is what we’re all about. Our uniquely integrated approach to management and security combines state-of-the-art Apple-specific security solutions with the most powerful and modern Apple MDM on the market for fully automated Hardening and Compliance, Next Generation EDR, AI-powered Zero Trust and exclusive Privilege Management. The result is a fully automated Apple Unified Platform that is now trusted by over 45,000 organizations to get millions of Apple devices up and running effortlessly and affordably. Request your EXTENDED TRIAL PERIOD Today and find out why Mosyle is everything you need to work with Apple.
On Tuesday, along with the massive release of iOS 26.4, which was in beta until then, Apple released a large list of security patches. Eliminates more than 35 vulnerabilities. While most single-point releases usually come with a large number of fixes, there are a handful of notable ones I’d like to highlight here.
Here are the ones that caught my eye.
About Security Bite: Weekly Security Bite column and bi-weekly podcast This is your deep dive into the ever-evolving world of Apple security. Arin Waichulis is a senior IT major and third-year security writer 9-5Mac. Here, Arin takes a bite out of the most critical topics affecting privacy and security so you can be better informed.
Bypass Stolen Device Protection
This is the biggest one. The vulnerability (CVE-2026-28895) allowed someone with physical access to an iPhone to bypass biometrically protected apps using only a password, even if Stolen Device Protection was enabled. This means that apps provided with the “Require Face ID” option, which users can activate by long-pressing the app icon, can still only be accessed using the device’s passcode.
If you have followed Safety biteI recently broke down new Stolen Device Protection changes back in February. One is that Apple now enables the feature by default in iOS 26.4.
The whole point of Stolen Device Protection is in the name. Even if the thief has a passcode, it’s there to render a stolen iPhone useless.
A bypass like the one above completely breaks the core of the feature. Apple says the fix included improved checks and the issue is now patched.
If you’re wondering how Stolen Device Protection came to be, here’s the background.
A local attacker can access your Keychain
CVE-2026-28864 is another one I found interesting. There aren’t many details about it, but according to Apple, a local attacker could gain access to Keychain items due to insufficient permission checks.
Your keychain stores passwords, encryption keys, tokens, and more. The downside here is a fairly serious local privilege escalation, and while it does require someone to physically have your device in their hands, that’s the scenario that Stolen Device Protection is designed for.
Your mail privacy settings may not be working…
CVE-2026-20692 revealed that “Hide IP Address” and “Block All Remote Content” may not have been applied to all mail content. So if you have them enabled in Mail, you’re in luck The IP address was not hidden from the senders and remote uploads still went through.
It’s unclear how widespread this issue is, but it’s never good to have silent features not working silently.
Sandbox run through print
CVE-2026-20688 allowed an application to escape its sandbox via a path handling issue in the Print framework. It is part of AirPrint that allows users to print things wirelessly.
Sandbox runs are always noteworthy because they are a critical link in exploit chains. After leaving the sandbox, the attack surface opens up a lot.
Bad month for WebKit
Seven CVEs and one sandboxing issue. Highlights include a Same-Origin Policy (CVE-2026-20643), a Content Security Policy bypass (CVE-2026-20665), and a bug that allowed a malicious website to process restricted web content outside of the sandbox (CVE-2026-28859).
This last one is particularly disturbing.
Package
None of these are listed as being actively exploited in the wild, which is good news. But the severity of a few of these is remarkable for a single-point release.
Bypassing Stolen Device Protection, Keychain access issues, and Mail privacy settings that fail silently are not common problems users encounter.
I recommend updating to 26.4 as soon as possible on all your devices.
You can see the full list of patches for iOS 26.4, macOS 26.4, tvOS 26.4, iPadOS 26.4, and other platforms here. Apple’s security releases page.
Follow Arin Waichulis: LinkedIn, Topics, X
Subscribe to 9to5Mac Security Bite Podcast For two weeks of deep dives and interviews with leading Apple security researchers and experts:
FTC: We use automatic affiliate links that generate income. More.
