One-sentence headline summary

Apple has released iOS 26.4, addressing over 35 security vulnerabilities, including a critical bypass of Stolen Device Protection and flaws affecting Keychain access, Mail privacy, and WebKit sandboxing.

Key points

• Apple patched CVE-2026-28895, which allowed unauthorized access to biometrically protected apps by bypassing Stolen Device Protection using only a device passcode.
• A vulnerability in the Keychain (CVE-2026-28864) permitted local attackers to potentially access sensitive stored passwords and encryption keys.
• Mail privacy settings, specifically "Hide IP Address" and "Block All Remote Content," were failing to apply correctly to all content under CVE-2026-20692.
• A sandbox escape flaw in the Printing framework (CVE-2026-20688) could allow malicious apps to break out of their restricted environments.
• WebKit received multiple security updates, including fixes for Same Origin Policy and Content Security Policy bypasses that could expose users to malicious web content.

These patches address significant security gaps that could compromise user privacy and device integrity, even for those utilizing Apple's advanced protection features. Users are strongly encouraged to update their devices immediately to mitigate these risks, as none of the vulnerabilities are currently reported as actively exploited.