Apple has released iOS 26.3, iPadOS 26.3, and macOS Tahoe 26.3 and while these updates may look like routine point releases on the surface, there’s an urgency behind them that every Apple user should take seriously. Apple’s release notes acknowledge that one of the vulnerabilities patched in was actively exploited in a real-world attack on iOS devices.
Here’s everything you need to know.
A Quiet Update with an Urgent Security Patch
If you’ve been following the iOS 26.3 beta cycle, you likely know this wasn’t shaping up to be a headline-grabbing feature release. Apple’s official release notes describe iOS 26.3 and iPadOS 26.3 as delivering “bug fixes and security updates,” and macOS Tahoe 26.3 is similarly understated—an under-the-hood update with important improvements. But “bug fixes and security updates” is doing a lot of heavy lifting this time around.
According to Apple’s full security release notes, iOS and iPadOS 26.3 address 37 distinct security vulnerabilities. That’s a substantial list, and it spans a wide range of system components. macOS Tahoe 26.3 carries its own set of fixes across the platform as well. Apple simultaneously released companion updates for older supported platforms—including iOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, watchOS 26.3, tvOS 26.3, and visionOS 26.3—all of which address the same core vulnerabilities on their respective platforms.
The Patch You Need to Know About
The most alarming item in Apple’s security notes concerned a flaw in dyld, macOS and iOS’s dynamic link editor—the system component responsible for loading and linking shared libraries when apps and processes launch. It’s a deep and trusted part of the operating system, which makes a vulnerability there especially dangerous.
Apple’s description of the issue is stark: an attacker with memory write capability could use this flaw to execute arbitrary code on the device. In plain terms, this means a malicious actor could potentially run whatever software they want on your iPhone, iPad, or Mac without your knowledge or permission.
Worse, Apple acknowledges awareness of a report that this vulnerability “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” Apple says the memory corruption issue was fixed with improved state management.
The phrase “extremely sophisticated attack” has appeared in Apple’s security advisories before, often in the context of commercial spyware or nation-state-level threat actors. While the targeting appears to have been narrow and deliberate rather than a broad campaign, that doesn’t mean average users are without risk — and now that the vulnerability has been publicly disclosed, the threat landscape for unpatched devices has broadened significantly.
What Else Is Being Fixed?
Beyond the dyld vulnerability, iOS and iPadOS 26.3 patch 36 other security issues across a wide range of system components. The full list is available on Apple’s security release notes page, and while Apple notes that most of these issues don’t have evidence of active exploitation, that status can change quickly once vulnerabilities become public knowledge.
Apple’s own guidance is that users should update as soon as possible precisely because publishing the details of a security flaw effectively hands would-be attackers a roadmap. A vulnerability that wasn’t being exploited yesterday may well be targeted tomorrow, now that its existence is publicly documented.
What’s New Beyond Security: New Macs Teased?
While security is the headlining reason to update, iOS 26.3 and iPadOS 26.3 do bring a few other notable additions.
Android device transfer tool. Apple quietly added a tool to make switching from an Apple device to an Android device easier. Transfers can be initiated during the device setup process and support moving photos, messages, notes, apps, passwords, phone numbers, and more — all without needing to manually download companion apps from both Apple and Google. The feature was pushed globally, in part due to requirements under the European Union’s Digital Markets Act (DMA), which mandates interoperability to prevent platform lock-in.
Carrier location tracking limits. For devices equipped with Apple’s C1 or C1X modem chips, iOS 26.3 adds a setting to limit precise location tracking by carriers. In the United States, this is currently supported only by Boost Mobile, with additional support from EE and BT in the UK, Telekom in Germany, and AIS and True in Thailand.
Third-party accessory improvements (EU). The update includes DMA-driven changes in Europe that enable third-party wearables — headphones, smartwatches, and other accessories — to take advantage of proximity pairing similar to AirPods, as well as richer notification forwarding from iPhone.
On the Mac side, macOS Tahoe 26.3 lays groundwork for what’s coming next: the build contains references to unreleased Apple Silicon chips, widely interpreted as signs that M5 Max and M5 Ultra-based MacBook Pros are on the near horizon. The update also arrives alongside Xcode 26.3, which introduces support for agentic coding tools including OpenAI’s Codex and Anthropic’s Claude Code agent.
How to Update
On iPhone or iPad: Go to Settings > General > Software Update. The update will appear as iOS 26.3 or iPadOS 26.3. Tap “Download and Install.” Note that the download is substantial — users have reported sizes ranging from roughly 2 GB to nearly 12 GB depending on device model and current software version — so make sure you’re on Wi-Fi and have adequate battery life or are plugged in before you begin.
On Mac: Go to System Settings > General > Software Update and install macOS Tahoe 26.3.
If your device doesn’t support iOS 26 or iPadOS 26, Apple has also released iOS 18.7.5 and iPadOS 18.7.5, which patch the same critical vulnerabilities for older hardware. Similarly, Macs that can’t run macOS Tahoe can apply macOS Sequoia 15.7.4 or macOS Sonoma 14.8.4 for equivalent security coverage.
