Apple has released iOS 26.2 and iPadOS 26.2, addressing a wide range of security vulnerabilities, including two zero-days reportedly exploited in sophisticated targeted attacks against iOS users.
The update patches at least 30 flaws across critical system components, ranging from the kernel to WebKit, exposing the extent to which malicious actors have been probing the Apple software ecosystem.
The two zero-day vulnerabilities patched in this release are CVE-2025-43529 and CVE-2025-14174, both located in WebKit, the browser engine underlying Safari and other iOS apps. According to Apple, these bugs may have been exploited in real-world attacks targeting individuals with high precision, possibly through malicious web content. CVE-2025-14174 was previously reported as a zero-day in Google Chrome and later assigned by Google’s Threat Analysis Group (TAG), who co-authored the joint CVE attribution with Apple.
CVE-2025-14174 involves a memory corruption flaw in ANGLE (Almost Native Graphics Layer Engine), a component used for WebGL rendering. The issue first surfaced in Chrome and was actively exploited before a fix was rolled out on December 11, 2025. Apple’s own investigation revealed its impact extended to iOS via shared dependencies, resulting in CVE-2025-43529, a use-after-free issue in WebKit potentially leveraged for code execution.
The flaws were uncovered and analyzed by Google's TAG team and Apple’s internal security teams. Google initially withheld technical specifics to protect users, consistent with its policy of delayed disclosure for in-the-wild zero-days. Apple’s advisory confirms the exploit activity was limited to pre-iOS 26 devices, suggesting recent updates mitigated the attack vector prior to this broader patch.
In addition to these high-risk issues, iOS 26.2 fixes several other vulnerabilities with significant privacy and security implications:
- CVE-2025-46285 (Kernel): An integer overflow that allows a local app to escalate privileges to root.
- CVE-2025-46288 (App Store): Flaw that allows apps to access sensitive Apple Pay tokens due to improper permission checks.
- CVE-2025-43428 (Photos): A configuration issue permitted unauthorized access to hidden photos.
- CVE-2025-43542 (FaceTime): Remote FaceTime sessions could reveal password fields unintentionally during screen sharing, a serious privacy concern.
- CVE-2025-46276 & CVE-2025-46292: Bugs allowing unauthorized access to user data via Messages and the Telephony framework, respectively.
The update also closes multiple vulnerabilities in WebKit, including type confusion, buffer overflows, use-after-free bugs, and a race condition. These issues, reported by researchers from Trend Micro’s ZDI, Epic Games, and Google’s Big Sleep team, could lead to arbitrary code execution or app crashes simply by visiting malicious web content.
iPhone and iPad users are strongly advised to update to iOS 26.2 and iPadOS 26.2 immediately, through Settings > General > Software Update > Download and install iOS 26.2.
Leave a Reply