Preface: Apple does not officially describe itself as a “walled garden.” Instead, that term is used by analysts, journalists, and critics to describe Apple’s tightly controlled ecosystem, where hardware, software, and services are designed to work together exclusively.

Background: Why Network Extensions Crashed M5 Macs?

This internal memory filtering is precisely why traditional network content filters caused M5 Macs to crash prior to the macOS Tahoe 26.5.1 update.

Network filtering apps monitor deep kernel-level web traffic, meaning they constantly look at low-level system memory. Older iterations of these network extensions were attempting to read raw packet data in unified memory using pointers that lacked the strict, hardware-enforced M5 cryptographic tags. The M5 chip assumed a cyberattack was underway and instantly shut the entire computer down to maintain total data confidentiality.

How MIE Filters Memory Inside the M5 Silicon

Traditional operating systems rely entirely on software code to ensure one app does not touch another app’s memory data. MIE shifts this burden entirely to physical chip components. It is built upon ARM’s Enhanced Memory Tagging Extension (EMTE) operating in a strict, performance-optimized “synchronous mode”.

Information Details: The macOS Tahoe 26.5.1 (Build 25F80) update, released on June 2, 2026, focuses on enterprise fixes rather than (published) CVE security vulnerabilities. It resolves an issue causing unexpected shutdowns on M5 Macs when utilizing specific content-filtering network extensions.

Details of the 26.5.1 (25F80) Update:

• Release Date: June 2, 2026
• Published CVEs: None

Primary Fix: Addressed a critical issue for enterprise users where Macs featuring the M5 chip would abruptly shut down when handling certain content-filtering network extensions.

Ref: The macOS Tahoe 26.5.1 (Build 25F80) update, released on June 2, 2026, focuses on enterprise fixes rather than (published) CVE security vulnerabilities.

About other updates coming at the same time: macOS 26.5.1: Build 25F80 iOS 26.5.1 / iPadOS 26.5.1: Build 23F81

End of article.

Preface: In iOS, the microkernel component (Mach) does not communicate with user space from a separate address space. Instead, it communicates directly within a unified kernel space alongside monolithic components, bypassing the traditional performance costs of a pure microkernel.

While iOS runs on an ARM-based architecture (Apple Silicon), its operating system core, XNU (“X is Not Unix”), is a hybrid kernel. It integrates the Mach microkernel with a monolithic BSD layer and the I/O Kitdriver framework into a single, highly privileged address space. 

Background: If a specific, complex code path inside a kernel subsystem utilizes an object but contains a logic error that forgets to call the appropriate reference increment function (e.g., ipc_port_reference()), the reference count drops to zero prematurely when another thread requests a deletion.

The Result: The kernel safely deletes the object according to its counters, but the flawed subsystem still holds a raw C pointer to that memory address. When the subsystem eventually attempts to write data to that pointer, it performs an out-of-bounds write into memory that may now contain entirely different data.

Vulnerability details: An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or write kernel memory.

Official announcement: Please refer to the link for details – https://www.cve.org/CVERecord?id=CVE-2026-28972

Preface: My iPhone 15 pushed the iOS 26.4.2 update again on May 2, 2026. I think even if you installed it around April 24—is likely because Apple released a revised build of that same update to address continued issues, or my device failed to properly register the previous installation due to the emergency nature of the patch.

Background: Why I received the update again on 1st May 2026. The NVD’s last modified date is shown as April 29, 2026. Therefore, this is one of the reasons why I need to perform the analysis again. Why update again? Similar to previous scenarios in 2023, Apple often re-issues critical patches if the first version did not fully resolve the issue, was causing compatibility problems, or if new information about the vulnerability arose.

My observation: The April 29 update reinforces why your switch to PRAGMA secure_delete = ON; is the right move. The official fix description—”improved data redaction”—aligns with the behavior of secure_delete, which physically overwrites data to ensure it cannot be recovered via forensic tools.

By using the PRAGMA, you are implementing at the application level what Apple has now implemented at the OS level: ensuring that when a record is “deleted,” its physical remnants are immediately destroyed.

The following URL is the analysis report I published on April 24, 2026 – http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-ghost-data-issue-has-been-fixed-in-ios-18-7-8-and-ipados-18-7-8-as-well-as-ios-26-4-2-and-ipados-26-4-2-24th-apr-2026/

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-28950

Preface: To be or not to be! Fixing this “bug” makes it easier for criminals to destroy evidence. However, leaving it unpatched leaves billions of innocent users vulnerable to forensic data theft if their phones are ever lost or stolen.

Background: Internally, iOS manages notifications through a system service called bulletinboard. The actual data is typically stored in a SQLite database file named deliverednotifications[.]sqlite, located in a protected system directory (usually /private/var/mobile/Library/BulletinBoard/).

The Freelist Mechanism: When iOS deletes a notification, SQLite does not immediately erase the data from the hard drive; instead, it marks the block as “Freelist.”

Fundamental Problem: The original binary data still exists in these blocks before they are overwritten by new data.

• Forensic Principle: Forensic tools can scan these unallocated spaces and directly extract the message content.

Vulnerability details: A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly retained on the device.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2026-28950

Preface: WLAN (Wi-Fi/Bluetooth) System: This is handled by the Qualcomm FastConnect 7800 Mobile Connectivity System. It manages Wi-Fi 7 and Bluetooth protocols independently of the 5G modem.

While they are integrated onto the same Snapdragon 8 Gen 3 platform and work together for features like Dual-SIM Dual-Active (DSDA) and interference cancellation to ensure smooth handovers between cellular and Wi-Fi, their firmware and management systems remain functionally separate.

Background: The processing of Neighbour Awareness Networking (NAN) service data frames via Qualcomm FastConnect (or similar WLAN chipsets) inherently involves the WLAN firmware buffer.

When a WLAN chip (such as those in the Qualcomm FastConnect series) receives data frames via Neighbourhood Aware Network (NAN) connections, the firmware plays a central role in handling the data path before it reaches the host processor.

Ref: In Qualcomm FastConnect (and similar chipsets), “self-startup” refers to the firmware autonomous mode where the WLAN chip manages NAN Discovery Windows and frame matching internally without waking the main application processor (AP).

Vulnerability details: Transient DOS when receiving a service data frame with excessive length during device matching over a neighbourhood awareness network protocol connection.

Vulnerability Type – CWE-126 Buffer Over-read

Access Vector – Remote

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2026-21381

Preface: The Mainline module (com[.]android[.]media[.]swcodec) contains software-onlycodecs. AMD does not touch these; they are strictly managed and updated by Google via the Play Store to ensure universal playback and security across all devices. For performance (like 4K video or gaming), AMD must provide its own hardware-accelerated codecs in the “vendor” partition of the device. To work with the Mainline system, AMD (or partners like those working on Android-x86) must implement Codec 2.0 (C2) drivers. This is the standard “language” the Android media framework uses to talk to any GPU—whether it’s Qualcomm, ARM, or AMD.

Background: Cybercriminals may exploit two design flaws to achieve their goals. Details are as follows:

Step 1. Entry Point: Malicious Media File

The user receives or encounters a specially crafted media file (e.g., via a messaging app or a website). No user interaction beyond opening the file or its preview is required.

Step 2. Step 1: Remote Code Execution (CVE-2026-0006)

Component: com[.]android[.]media[.]swcodec (Media Codecs Mainline).

Action: A heap buffer overflow occurs during the decoding process.

Result: The attacker gains System-level remote code execution. However, they are still “sandboxed” within the media process.

Step 3. Step 2: The “Zero-Copy” Hand-off (DMA-BUF)

Component: Codec 2.0 (C2) Driver Bridge.

Action: To maintain performance, the system uses DMA-BUF Heaps to pass the malicious buffer directly to the GPU without copying it.

Vulnerability Point: The system assumes the buffer boundaries are safe because they were “validated” by the software layer.

Step 4. Step 3: Privilege Escalation (CVE-2026-21385)

Vulnerability details:

CVE-2026-0006 (Critical System RCE): This is a heap buffer overflow in the Media Codecs Mainline component (com[.]android[.]media.swcodec). It allows for Remote Code Execution (RCE) without user interaction, often triggered by processing a specially crafted media file.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2026-0006

CVE-2026-21385 (High-Severity Qualcomm Graphics): This is a memory corruption flaw in a Qualcomm graphics/display component. It stems from an integer overflow during memory allocation, specifically related to how memory alignments are handled. 

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2026-21385