Updates tackle more than 30 risks across components such as the kernel, App Store, and apps such as Messages and Photos.

On 12 December 2025, to counter two zero-day flaws in its WebKit tool, Apple released urgent patches for iOS 26.2 and iPadOS 26.2.

Vulnerabilities CVE-2025-43529 and CVE-2025-14174 in earlier versions had been exploited in highly advanced operations against select iOS users, stemming from a use-after-free error and a memory corruption problem, respectively, which could trigger code execution or data mishandling via harmful web pages.

Earlier, CVE-2025-14174 was also a problem with Google’s Chrome browser, and the latter firm had jointly worked with Apple to identify the same zero day in iPhones and iPads.​

The update tackles more than 30 risks across components such as the kernel, App Store, and apps such as Messages and Photos, affecting iPhone 11 onward and compatible iPads:

  • In the kernel, CVE-2025-46285 fixes an integer overflow letting apps seize root access, credited to Alibaba Group researchers; developers added 64-bit timestamps for safety.
  • The App Store’s CVE-2025-46288 blocks apps from grabbing Apple Pay tokens through tighter permissions, found by ByteDance’s IES Red Team.​
  • Screen Time patches prevent apps from viewing Safari history or user details via better log filtering in CVE-2025-46277 and CVE-2025-43538
  • Messages resolves CVE-2025-46276 to stop data leaks with enhanced privacy, while Telephony’s CVE-2025-46292 adds checks against sensitive info access; both traced to Rosyna Keller.
  • Photos secures hidden albums from unauthorized views under CVE-2025-43428
  • FaceTime hides password fields during shares via CVE-2025-43542
  • Calling Framework curbs FaceTime ID spoofing in CVE-2025-46287 with state fixes
  • Icons blocks app detection of others via CVE-2025-46279 restrictions.
  • MediaExperience redacts logs in CVE-2025-43475
  • Foundation handles spellcheck files and data crashes in CVE-2025-43518 and CVE-2025-43532
  • Multi-Touch validates inputs against crashes in CVE-2025-43533.
  • WebKit includes fixes for crashes from type confusion, overflows, and races like CVE-2025-43541, CVE-2025-43501, and CVE-2025-43531.

This marks Apple’s seventh to ninth zero-day fixes in 2025, amid threats from spyware like Pegasus, urging immediate updates through Settings for protection.

Similar patches have hit macOS Tahoe 26.2, extending safeguards. CISA even listed CVE-2025-14174 as exploited, mandating federal patches by January 2026.