Emergency iOS 26.2 patches two WebKit zero-days used in targeted attacks. Apple urges urgent updates on iPhone, iPad, macOS, watchOS and Safari. Update now.
© RusPhotoBank
Apple has rolled out an emergency iOS 26.2 security update, closing two dangerous vulnerabilities already exploited in real-world targeted attacks. The company said the incidents involved highly sophisticated intrusions aimed at a limited set of users and tied to spyware, rather than mass data or financial theft.
Both weaknesses were found in WebKit—the engine that powers Safari and, on iPhone and iPad, every third-party browser. In practice, merely opening a malicious website could be enough to trigger an attack. Tracked as CVE-2025-43529 and CVE-2025-14174, the flaws were used as part of the same attack chain, according to Apple.
The first bug enabled arbitrary code execution on a device due to improper memory handling in WebKit. The second, identified in collaboration with Google’s Threat Analysis Group, also touched the browser engine’s workings. Apple says it addressed both by tightening memory management and adding extra checks, while withholding specifics so as not to hand attackers a roadmap.
Patches arrived across the Apple ecosystem, including iOS and iPadOS, macOS, watchOS, tvOS, visionOS, and Safari. Because iOS requires all browsers to use WebKit, the exposure extended to Chrome and other alternatives installed on iPhone.
Apple once again urges users to install updates without delay, noting that zero-day campaigns typically go after devices with outdated software first. The company also points at Lockdown Mode for people who may face targeted attacks and advises watching for unusual behavior—overheating, sudden battery drain, or Safari glitches. The takeaway is clear: update promptly and leave attackers with fewer openings.