Apple has released a large security update across its main platforms, with the advisory crediting several WebKit fixes to AI tools.
The iOS 26.5.2, iPadOS 26.5.2, macOS Tahoe 26.5.2, and Safari 26.5.2 releases, all dated June 29, fix roughly 30 flaws, the bulk of them in WebKit, the browser engine behind Safari and every iOS browser. Apple says none of the flaws has been exploited in the wild.
One use-after-free flaw, CVE-2026-43715, is credited to Milad Nasr and Nicholas Carlini working “with Claude,” Anthropic’s model. Three more crash-inducing WebKit bugs are credited to OpenAI’s Codex Security team, another sandbox-escape issue to NVIDIA’s AI Red Team, and a further fix is credited to Z.AI’s GLM model.
It is a small but revealing detail. AI-assisted bug hunting is moving from claim to credited contribution, and it now shows up in the patch notes of the most security-conscious vendors. It echoes Anthropic’s own report that its Claude models surfaced hundreds of flaws across open-source code.
Why Apple Moved Early
The other unusual signal is the timing. Apple told Reuters it pulled these fixes forward, shipping them in 26.5.2 rather than waiting for the 26.6 release they were staged in, because AI tools are shortening the gap between a flaw becoming public and attackers weaponizing it.
The risk sits in WebKit. Because Apple requires every browser on iOS to use the engine, a WebKit flaw can affect almost anyone who browses the web, and several of these bugs could be triggered by simply visiting a malicious page. The technique can lead to a Safari crash, memory disclosure, or exposure of data across origins. The kernel fixes address issues an app may exploit to crash a device or tamper with protected memory.
For users and IT teams, the advice hasn’t changed: install the updates promptly. With the fixes now public, the same disclosure that protects patched devices gives attackers a map to unpatched ones, and the window to act on that map is getting shorter.
