On Friday, Apple dropped iOS 26.2. Despite being the third update in the iOS 26 era, 26.2 still adds some interesting and useful new features, like alarms for reminders and refinements to the Sleep Score on Apple Watch.
Updates aren't all about the features, however. Apple typically includes a number of security patches with its software releases as well, which makes each update important to install. You don't always need to install the latest version of iOS or macOS to benefit from these security patches, either: Apple usually releases important security patches for some older versions of its software. iPhones running iOS 18 can install the same security patches as those running iOS 26, as can Mac users running macOS Sequoia or Sonoma, rather than Tahoe.
All that to say, Apple's update today comes with a series of patches you'll want to install on your iPhone—no matter what software version you're currently running. This particular release ships with 25 patches, and while some of them seem only pertinent to software developers, others are plainly serious.
iOS 26.2 patches some serious security vulnerabilities
Perhaps most importantly from a security perspective, this release includes two patches for potential zero-day vulnerabilities. Zero-day flaws are especially dangerous as they are either publicly disclosed or actively exploited before a developer has a chance to issue a patch—leaving users vulnerable to attack.
Both flaws (CVE-2025-43529 and CVE-2025-14174) affect WebKit, Apple's platform for developing Safari and web browsers on iPhone. Before Apple patched these issues, bad actors could present users with malicious web content. Once the user processes it on their iPhone, it could lead to arbitrary code execution, which, essentially, allows the bad actor to run whatever code they want on your iPhone. Apple says it is aware of reports that these two flaws may have been exploited in "an extremely sophisticated attack against specific targeted individuals" in versions of iOS older than iOS 26.
This is not the first time Apple has patched flaws with this warning. Due to the iPhone's popularity, these flaws are valuable to governments and other large-scale actors that target high-profile individuals, like journalists and politicians. Apple will even send these users warnings when their iPhone has been identified in such an attack. While the risk is low that the average iPhone user will be targeted in one of these campaigns, it's not impossible, which means it's important to update as soon as a patch is available. These apply to other Apple devices too, like Macs, so update all devices as soon as possible.
While those two flaws are the most important of the bunch to fix, there are others here that you'll want to fix ASAP. One of the first to jump out at me was a "Calling Framework" flaw that allows bad actors to spoof their FaceTime caller ID. With the rise of AI scams, bad actors could create an AI voice that sounds like someone you know, and spoof their contact so it looks like they're calling you over FaceTime audio. This update patches that possibility—at least, as far as spoofing is concerned.
What do you think so far?
Speaking of FaceTime, this update also patches a flaw that sometimes reveals password fields when remotely controlling a device over FaceTime. If you were sharing your screen with someone over a video call, they might be able to see when you typed in your password and use that against you. There's also a patch for an issue that allowed an app to see other apps you had installed on your device—a major privacy and security vulnerability.
If you use the Photos' app Hidden feature to hide sensitive pictures you don't want others to see, you'll want to install this update ASAP, too: Previous versions of iOS contained a bug that made it possible to view these hidden photos without authentication.
iOS 26.2 security release notes
If you're interested in seeing all of Apple's security patches in this update, the full release notes are as follows:
App Store
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive payment tokens
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-46288: floeki, Zhongcheng Li from IES Red Team of ByteDance
AppleJPEG
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a file may lead to memory corruption
Description: The issue was addressed with improved bounds checks.
CVE-2025-43539: Michael Reeves (@IntegralPilot)
Calling Framework
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker may be able to spoof their FaceTime caller ID
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2025-46287: an anonymous researcher, Riley Walz
curl
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Multiple issues in curl
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-7264, CVE-2025-9086
FaceTime
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Password fields may be unintentionally revealed when remotely controlling a device over FaceTime
Description: This issue was addressed with improved state management.
CVE-2025-43542: Yiğit Ocak
Foundation
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to inappropriately access files through the spellcheck API
Description: A logic issue was addressed with improved checks.
CVE-2025-43518: Noah Gregory (wts.dev)
Foundation
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing malicious data may lead to unexpected app termination
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2025-43532: Andrew Calvano and Lucas Pinheiro of Meta Product Security
Icons
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to identify what other apps a user has installed
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-46279: Duy Trần (@khanhduytran0)
Kernel
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to gain root privileges
Description: An integer overflow was addressed by adopting 64-bit timestamps.
CVE-2025-46285: Kaitao Xie and Xiaolong Bai of Alibaba Group
libarchive
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a file may lead to memory corruption
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-5918
MediaExperience
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43475: Rosyna Keller of Totally Not Malicious Software
Messages
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: An information disclosure issue was addressed with improved privacy controls.
CVE-2025-46276: Rosyna Keller of Totally Not Malicious Software
Multi-Touch
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious HID device may cause an unexpected process crash
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2025-43533: Google Threat Analysis Group
Photos
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Photos in the Hidden Photos Album may be viewed without authentication
Description: A configuration issue was addressed with additional restrictions.
CVE-2025-43428: an anonymous researcher, Michael Schmutzer of Technische Hochschule Ingolstadt
Screen Time
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access a user’s Safari history
Description: A logging issue was addressed with improved data redaction.
CVE-2025-46277: Kirin (@Pwnrin)
Screen Time
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43538: Iván Savransky
Telephony
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed with additional entitlement checks.
CVE-2025-46292: Rosyna Keller of Totally Not Malicious Software
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A type confusion issue was addressed with improved state handling.
WebKit Bugzilla: 301257
CVE-2025-43541: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 301726
CVE-2025-43536: Nan Wang (@eternalsakura13)
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 300774
WebKit Bugzilla: 301338
CVE-2025-43535: Google Big Sleep, Nan Wang (@eternalsakura13)
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A buffer overflow issue was addressed with improved memory handling.
WebKit Bugzilla: 301371
CVE-2025-43501: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A race condition was addressed with improved state handling.
WebKit Bugzilla: 301940
CVE-2025-43531: Phil Pizlo of Epic Games
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 302502
CVE-2025-43529: Google Threat Analysis Group
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.
Description: A memory corruption issue was addressed with improved validation.
WebKit Bugzilla: 303614
CVE-2025-14174: Apple and Google Threat Analysis Group
WebKit Web Inspector
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 300926
CVE-2025-43511: 이동하 (Lee Dong Ha of BoB 14th)
Comments (0)