Apple has released emergency security updates to fix two critical zero‑day vulnerabilities that were being actively exploited against users running older versions of its software. The patches come as part of a broader update spanning iOS, iPadOS, macOS, watchOS, tvOS and Safari. Experts say updating immediately is crucial to protect devices from sophisticated cyberattacks.
What Are Zero‑Day Vulnerabilities?
Zero‑day flaws are security bugs that attackers exploit before the vendor officially fixes them. Because they are unpatched, they pose a serious risk to user devices. In this case, the bugs were found in WebKit, the browser engine used by Safari and many Apple apps.
Apple confirmed that attackers could trigger these vulnerabilities simply by having a user load malicious web content. No extra interaction, like clicking a link, was needed for potential exploitation.
Details of the Patched Flaws
The two zero‑day issues are tracked as CVE‑2025‑43529 and CVE‑2025‑14174. Both affect WebKit’s memory handling, which could let attackers run arbitrary code or destabilise a device’s memory.
CVE‑2025‑43529 is a use‑after‑free flaw. It occurs when software tries to use memory that was already freed, creating an entry point for malicious code.
CVE‑2025‑14174 is a memory corruption issue that also helps attackers manipulate the system if they entice a device to process harmful content.
Apple’s security notes say these bugs “may have been exploited in an extremely sophisticated attack against specific targeted individuals”, underlining the real‑world nature of the threat.
Devices Affected by the Flaws
The vulnerabilities affect a broad range of Apple devices, particularly older versions of iPhone and iPad operating systems. Users of these devices were urged to install updates to block ongoing exploitation.
How Apple Has Responded?
To address the risk, Apple released fixes within the iOS 26.2 update along with security patches for other platforms. Users should update their devices as soon as possible through Settings > General > Software Update on iPhone and iPad, or via System Preferences on macOS.
Apple also included WebKit fixes in the latest Safari 26.2 update, ensuring the browser engine itself is safer from malicious web content.
Coordinated Industry Action
In a rare move, Google also patched a related zero‑day in its Chrome browser this week, pointing to shared concerns among tech giants about this class of threats. The collaboration shows how serious targeted attacks have become and highlights the importance of coordinated disclosure in cybersecurity.
Why You Must Update Now?
Security researchers emphasise that even if you are not a direct target, updating your device matters. Zero‑days can be repurposed to compromise ordinary users once they are known publicly. Installing the latest security patches reduces exposure to future threats and strengthens overall device safety.
What Attackers Can Do with WebKit Exploits?
WebKit powers not only Safari but also many apps that display web content. That means a vulnerability here can affect a wide range of functions on Apple devices. Attackers could potentially run malicious code, steal data, or gain further access into the system if a user visited a crafted webpage.
Security analysts also note that such vulnerabilities have been targeted before in large‑scale campaigns involving spyware and surveillance tools. These incidents often focus on high‑value targets like journalists, activists or business leaders.
Additional Security Fixes in iOS 26.2
While the two WebKit zero‑days grab the most attention, iOS 26.2 also includes fixes for other issues across core system components and apps. Apple’s official security bulletin lists multiple CVE entries showing addressed bugs that could affect privacy or device stability.
