December 15, 2025 Apple has released iOS 26.2 and is urging users to update immediately after confirming that two security flaws fixed in the update are already being exploited in targeted attacks. The release addresses 26 vulnerabilities in total that could allow attackers to take control of affected devices.

According to Apple, the two exploited flaws affect WebKit, the browser engine that underpins Safari and all iPhone browsers. Tracked as CVE-2025-43529 and CVE-2025-14174, the bugs could allow arbitrary code execution when users interact with maliciously crafted web content. Apple said the issues “may have been exploited in an extremely sophisticated attack against specific targeted individuals” running versions of iOS prior to iOS 26.

The update also patches a kernel vulnerability, CVE-2025-46285, which could allow a malicious app to gain root privileges. That level of access would let an attacker bypass app sandboxing, read messages and authentication codes. They would also be able to hijack sensitive sessions. 

“If an attacker gains root access on a phone, they effectively own it,” said Javvad Malik, lead CISO advisor at KnowBe4.

The timing of the release comes as Apple confirms that iPhone users in at least 80 countries have been targeted with spyware. The company recently sent threat notifications warning users that sophisticated malware campaigns were underway, typically aimed at journalists, dissidents and individuals in sensitive business sectors. Once installed, spyware can monitor activity across apps, including encrypted messaging platforms.

Apple released iOS 26.2 alongside iOS 18.7.3, which also patches the exploited WebKit flaws for users who remain on older operating systems. The company says attacks targeted versions of iOS prior to iOS 26, but issued fixes across both tracks to limit exposure. Apple has also updated macOS, watchOS, tvOS and visionOS as part of the same security cycle.

Security researchers stress that timing is critical once patches are published. “When fixes are released, details about the vulnerabilities quickly become public, giving attackers a roadmap to exploit any devices that have not yet been patched,” said Darren Guccione, CEO of Keeper Security.

iOS 26.2 is available now for supported iPhone and iPad models. Apple advises users to update directly through their device settings rather than following links or pop-ups. For those unable to upgrade immediately, features such as Lockdown Mode can reduce exposure. They do not, however, replace installing the latest update.