Penelope Iroko Table of Contents
Apple 0-day vulnerabilities are being exploited in targeted attacks against select iPhone users, driving urgent patches in iOS 26.2 and iPadOS 26.2. Apple fixed two WebKit flaws that enable arbitrary code execution via malicious web content. Google Threat Analysis Group (TAG) and Apple jointly investigated the activity, which aligns with spyware operations.
The updates also deliver dozens of additional security fixes across Kernel, Screen Time, Messages, and WebKit hardening, reducing overall mobile attack surface.
Apple advises immediate installation for iPhone 11 and later and supported iPad models due to active exploitation of these Apple 0-day vulnerabilities.
Apple 0-day vulnerabilities: What You Need to Know
- Update now to iOS 26.2/iPadOS 26.2; two WebKit zero-day exploits are being used for targeted device compromise.
Recommended defenses and tools
- Bitdefender – Endpoint protection to block exploit delivery and spyware.
- 1Password – Harden credentials against account takeover after device compromise.
- IDrive – Encrypted backups to speed recovery from mobile incidents.
- Tenable – Prioritize CVEs and track patch coverage across fleets.
Patches in iOS 26.2 and iPadOS 26.2
Apple addressed two Apple 0-day vulnerabilities in WebKit exploited in the wild against a limited set of users.
The updates strengthen memory management and input validation to block arbitrary code execution triggered by malicious pages. Apple coordinated disclosure and remediation with Google TAG and withheld attacker attribution.
Security teams that previously prioritized the iOS 18.2 security update should now expedite deployment of iOS 26.2 and iPadOS 26.2 due to active exploitation.
WebKit zero day exploits at the core
The most critical Apple 0-day vulnerabilities involve initial compromise through drive-by or booby-trapped content rendered by WebKit:
- CVE-2025-43529 (WebKit): Use-after-free enabling code execution. Apple improved memory management. Credited to Google TAG.
- CVE-2025-14174 (WebKit): Memory corruption leading to code execution. Apple improved input validation. Credited to Apple and Google TAG.
Because these Apple 0-day vulnerabilities can trigger on page load, Apple urges all supported devices to install iOS 26.2/iPadOS 26.2 immediately.
Additional fixes across the stack
Beyond the Apple 0-day vulnerabilities, Apple resolved more than 30 issues across core components:
- Kernel (CVE-2025-46285): Integer overflow that could enable root privilege escalation, reported by Kaitao Xie and Xiaolong Bai (Alibaba Group).
- Screen Time (CVE-2025-46277, CVE-2025-43538): Logging flaws risking Safari history or user data exposure.
- Messages (CVE-2025-46276): Issue allowing potential access to sensitive data, credited to Rosyna Keller.
- WebKit hardening (e.g., CVE-2025-43541, CVE-2025-43501): Fixes for type confusion, buffer overflows, and crashes.
- Open-source components: libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086) patched to address upstream vulnerabilities.
These updates complement the WebKit zero day exploits fixes, limiting post-exploitation options and reducing lateral movement risks.
Affected devices and how to update
Apple 0-day vulnerabilities impact: iPhone 11 and later; iPad Pro 12.9‑inch (3rd gen and later) and 11‑inch (1st gen and later); iPad Air (3rd gen and later); iPad (8th gen and later); and iPad mini (5th gen and later).
Update path: Settings > General > Software Update > Download and Install iOS 26.2/iPadOS 26.2. Back up first and use a reliable connection. Given active exploitation of these Apple 0-day vulnerabilities, fast rollout is essential even for perceived low-risk users.
Evidence and context behind the attacks
Apple confirmed active exploitation of Apple 0-day vulnerabilities before the release of iOS 26.2 and iPadOS 26.2. Joint analysis with Google TAG indicates targeted spyware activity leveraging WebKit zero-day exploits.
See Apple’s advisory at Apple Security Updates and TAG research at Google TAG.
For context on Apple’s patch cadence and prior emergency updates, review our coverage of recent Apple security patch releases, the role of timely third‑party library fixes (curl), and previous zero‑day exploitation trends.
Related iOS tradecraft also surfaced when USB Restricted Mode was exploited.
Operational guidance for security teams
Deploy iOS 26.2/iPadOS 26.2 across eligible devices without delay. Validate on a pilot group, then accelerate broad rollout. Enforce safe browsing policies and monitor high-risk users.
After patching Apple 0-day vulnerabilities, verify Screen Time and Messages behavior due to the volume of related fixes.
Strengthen your mobile security stack
Implications for users and organizations
Rapid patch availability constrains attacker dwell time. Apple’s collaboration with Google TAG increases detection fidelity and validation, making it harder for adversaries to reuse the same exploit chains.
The breadth of fixes around WebKit, Kernel, and platform services further narrows post-exploitation options after initial compromise through Apple 0-day vulnerabilities.
However, exploitation preceded the patches, underscoring that sophisticated actors, potentially state-aligned, can still reach hardened devices via WebKit zero-day exploits.
Organizations with high-risk profiles should prioritize swift deployment, enhance telemetry on mobile browsers, and maintain continuous monitoring for anomalous network and process activity.
Conclusion
Two in-the-wild WebKit flaws sit at the center of the Apple 0-day vulnerabilities, enabling code execution via malicious web content. Apple’s updates close the exploit path used in targeted attacks.
If you run iPhone 11 or later or a supported iPad, install iOS 26.2/iPadOS 26.2 now. Even teams that completed the iOS 18.2 security update should move immediately to the latest release.
Sustained vigilance is necessary as attackers probe for new Apple 0-day vulnerabilities. Track advisories and verify that protections remain effective after each update cycle.
Questions Worth Answering
Which devices are affected?
– iPhone 11 and later; multiple iPad models including Pro, Air, iPad, and mini.
What are the exploited vulnerabilities?
– CVE-2025-43529 and CVE-2025-14174 in WebKit enabling arbitrary code execution.
How severe is the risk?
– High. The Apple 0-day vulnerabilities were used in targeted spyware campaigns.
How do I install the update?
– Settings > General > Software Update > Download and Install iOS 26.2/iPadOS 26.2.
Who discovered the flaws?
– Google TAG reported CVE-2025-43529; CVE-2025-14174 is credited to Apple and Google TAG.
Are Macs affected?
– This advisory covers iOS and iPadOS. The fixes focus on iPhone and iPad.
What else did Apple fix?
– Kernel escalation, Screen Time and Messages data exposures, WebKit hardening, and third‑party component patches.
About Apple
Apple designs consumer devices and platforms including iPhone and iPad with tightly integrated hardware, software, and services.
The company runs a structured security updates program to remediate vulnerabilities across its ecosystem.
Apple collaborates with external researchers, including Google TAG, to investigate and address critical threats quickly.
More smart picks for your stack
- Passpack – Team password manager to reduce credential sprawl.
- Tenable – Exposure management for continuous vulnerability tracking.
- Tresorit – Secure collaboration for regulated environments.
- CyberUpgrade – Security awareness training to reduce human risk.
Level up now: Protect passwords with 1Password, secure files with Tresorit, and back up everything with IDrive.
