Apple's iOS 26.4 update, released Tuesday, patches over 35 security vulnerabilities, including a critical flaw undermining its Stolen Device Protection feature. The patch (CVE-2026-28895) addresses a bypass allowing physical access to bypass biometric locks on apps protected by 'Require Face ID'. This vulnerability directly contradicts the core purpose of Stolen Device Protection, which aims to render a stolen iPhone useless even with a passcode.

Apple attributes the fix to improved checks. Additionally, the update resolves a Keychain access flaw (CVE-2026-28864) enabling local attackers to steal passwords and encryption keys, and a Mail privacy setting issue (CVE-2026-20692) where 'Hide IP Address' and 'Block All Remote Content' failed to apply universally. While no active exploitation is reported, the severity of these issues highlights the update's critical importance for user security.

Users are strongly advised to update all compatible devices immediately to mitigate these risks.