New Update: iOS 26.2 patches 20+ security flaws, including two exploited WebKit bugs

Apple has released iOS 26.2 and iPadOS 26.2, alongside macOS Tahoe 26.2, with a mix of new features, bug fixes, and a sizeable security bundle. The company says the updates address more than 20 vulnerabilities, and two of the fixes cover WebKit issues that Apple believes were already used in real-world attacks.

Two WebKit vulnerabilities were reportedly exploited

In Apple’s security notes, the company calls out two WebKit flaws that may have been leveraged in an “extremely sophisticated” campaign aimed at “specific targeted individuals,” affecting versions of iOS prior to iOS 26. One issue could allow arbitrary code execution; the other could lead to memory corruption. Apple’s documentation ties these reports to CVE-2025-43529 and CVE-2025-14174.

While Apple doesn’t share technical exploit details publicly, the takeaway is simple: WebKit sits at the heart of Safari and many in-app browsers, so a single weakness there can have broad reach—especially when triggered by crafted web content.

Other fixes span apps and core services

Beyond WebKit, the iOS/iPadOS 26.2 security list includes patches for a range of components—some of which could impact privacy or account security in everyday scenarios:

• App Store: a permissions fix to prevent an app from accessing sensitive payment tokens (CVE-2025-46288).

• Photos: a fix so items in the Hidden Photos Album can’t be viewed without authentication (CVE-2025-43428).

• FaceTime: a fix for remote control sessions where password fields could be unintentionally revealed (CVE-2025-43542).

• Kernel: an integer-overflow fix where an app might gain root privileges (CVE-2025-46285).

Why updating quickly matters

Once Apple publishes security notes, defenders learn what was fixed—but so do attackers. That’s why Apple (and outlets tracking the release) generally recommend updating promptly across affected devices.