Breaking News: iPhone Users at Risk! Apple has just released critical updates to address zero-day vulnerabilities that were actively exploited in sophisticated attacks targeting specific iPhone users. This is a serious situation, so let's dive into the details.
On December 12, 2025, Apple rolled out iOS 26.2 and iPadOS 26.2 updates to patch two actively exploited WebKit zero-day flaws. These updates are crucial for anyone using an iPhone or iPad.
The Vulnerabilities Unpacked:
The first vulnerability, identified as CVE-2025-43529, involves a 'use-after-free' vulnerability within WebKit. This means attackers could potentially execute arbitrary code through malicious web content. Google's Threat Analysis Group discovered this critical flaw.
The second vulnerability, CVE-2025-14174, is related to memory corruption. Apple and Google TAG collaborated to identify this issue, which was also linked to targeted spyware campaigns.
Here's a quick breakdown:
- CVE-2025-43529: WebKit - Arbitrary code execution (Use-after-free). Discovered by Google Threat Analysis Group.
- CVE-2025-14174: WebKit - Memory corruption. Discovered by Apple & Google TAG.
What Devices Are Affected?
These vulnerabilities affect iPhone 11 and later models, along with specific iPad Pro, Air, and mini variants.
Beyond WebKit: Other Critical Fixes
Apple didn't stop there. They also fixed over 30 other vulnerabilities across various components, including the Kernel, Foundation, Screen Time, and curl.
- Kernel Vulnerability (CVE-2025-46285): An integer overflow that could allow for root privilege escalation. Discovered by Alibaba Group researchers.
- Screen Time Flaws (CVE-2025-46277, CVE-2025-43538): Multiple logging flaws that could expose Safari history or user data.
Additional patches were released for WebKit, addressing type confusion, buffer overflows, and crashes. Open-source flaws in libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086) were also addressed.
Key Takeaways from Other Critical Fixes:
- Kernel (CVE-2025-46285): Root privileges - Kaitao Xie, Xiaolong Bai
- Screen Time (CVE-2025-46277): Access Safari history - Kirin (@Pwnrin)
- Messages (CVE-2025-46276): Access sensitive data - Rosyna Keller
Affected Devices and Mitigation
If you own an iPhone 11 or later, or one of the affected iPad models (iPad Pro, iPad Air, or iPad mini), you need to take action.
How to Protect Yourself:
- Go to Settings > General > Software Update and install the latest update immediately.
Apple hasn't released specific details about the attackers, but their collaboration with Google suggests nation-state-level threats. This means the attacks are likely sophisticated and targeted.
Affected Products and Versions:
- iOS: Before 26.2 (exploited pre-26) - Update to 26.2 - Compatible with iPhone 11 and later.
- iPadOS: Before 26.2 (exploited pre-26) - Update to 26.2 - Compatible with iPad Pro 12.9″ (3rd gen+), iPad Pro 11″ (1st gen+), iPad Air (3rd gen+), iPad (8th gen+), iPad mini (5th gen+).
Final Thoughts:
This is a critical reminder of the importance of keeping your devices updated. These updates are essential for protecting your data and privacy. Are you updating your devices immediately? Let us know in the comments below!
