Apple Patches Four AI-Discovered WebKit CVEs in iOS 26.5.2 Release

The updates address CVE-2026-43707, CVE-2026-43716, CVE-2026-43745 and CVE-2026-43715, each involving memory corruption or use-after-free conditions reachable via crafted web content. Apple credited automated tooling rather than human researchers for the initial triage, marking the first public batch of AI-flagged WebKit issues shipped to mass-market devices. No in-the-wild exploitation has been confirmed; CVSS scores remain unpublished by Apple.

Procurement records show Apple began internal trials of Codex-style models for static analysis in late 2025 under a classified services agreement with OpenAI. The same pattern appears in recent DoD SBIR solicitations seeking AI triage pipelines for zero-day corpora. This suggests the public disclosure is a downstream artifact of scaled internal scanning rather than isolated researcher reports.

Official statements emphasize shortened patch windows to counter AI-accelerated exploit development, yet Apple has not released the model prompts, training cutoffs or false-positive rates used by Codex and Claude. Independent verification of attribution therefore rests solely on Apple’s acknowledgments, creating an evidence gap between claimed discovery method and reproducible technical artifacts.

Next quarter’s release cadence will test whether the new disclosure-to-patch interval holds under sustained AI scanning pressure; any repeat of the 30-plus WebKit fixes without corresponding CVE detail would confirm the shift toward automated, low-visibility remediation.