The iOS operating system, developed by Apple, is designed with strong security features like sandboxing, code signing, and regular updates. However, like any complex software, it has vulnerabilities that can be exploited if not patched.
As of December 13, 2025, Apple has released iOS 26.2 and iPadOS 26.2 (for newer devices) and iOS 18.7.3 and iPadOS 18.7.3 (for older supported devices), both on December 12, 2025. These updates address over 30 vulnerabilities, including several zero-day issues actively exploited in targeted attacks. Apple patches these promptly, and updating is the best defense.
Key highlights from these updates:
• Exploited in the Wild: Two WebKit vulnerabilities (CVE-2025-43529 and CVE-2025-14174) were used in sophisticated attacks against specific individuals before iOS 26. These could lead to arbitrary code execution or memory corruption via malicious web content.
• Privilege Escalation Risks: Kernel flaws like CVE-2025-46285 (integer overflow allowing root access) and CVE-2025-43512 (logic issue enabling privilege elevation).
• Privacy and Data Leaks: Issues in components like Screen Time, Messages, and Telephony that could expose user data, such as Safari history or sensitive tokens.
• App and System Crashes: Multiple memory corruption bugs in WebKit, Foundation, and AppleJPEG that could cause crashes or denial-of-service.
Apple has addressed nine zero-day vulnerabilities exploited in 2025 so far. No unpatched critical vulnerabilities are publicly known at this time, but users should enable automatic updates.
Detailed Vulnerabilities by Component (from Latest Updates)
Below is a consolidated list of notable fixes from iOS 26.2 and iOS 18.7.3. Duplicates across versions are noted only once for brevity. Impacts range from crashes to potential code execution.
WebKit (Core Browser Engine – 9 fixes)
• CVE-2025-43529: Use-after-free; arbitrary code execution via web content. Exploited in targeted attacks.
• CVE-2025-14174: Memory corruption via web content. Exploited in targeted attacks.
• CVE-2025-43536: Use-after-free; process crash via web content.
• CVE-2025-43535: Memory handling issue; process crash via web content.
• CVE-2025-43541: Type confusion; Safari crash via web content.
• CVE-2025-43531: Race condition; process crash via web content.
• CVE-2025-43501: Buffer overflow; process crash via web content.
• CVE-2025-43511 (Web Inspector): Use-after-free; process crash via web content.
Kernel (System Core – 3 fixes)
• CVE-2025-46285: Integer overflow; app gains root privileges.
• CVE-2025-43512: Logic issue; app elevates privileges.
• CVE-2025-43533 (Multi-Touch): Memory corruption; malicious HID device causes crash.
Foundation (System Libraries – 2 fixes)
• CVE-2025-43532: Memory corruption; app termination via malicious data.
• CVE-2025-43518: Logic issue; app accesses files via spellcheck API.
Privacy and User Data Components
• Screen Time (CVE-2025-46277, CVE-2025-43538): Logging issues; app accesses Safari history or sensitive data.
• Messages (CVE-2025-46276): Info disclosure; app accesses sensitive user data.
• Telephony (CVE-2025-46292): Entitlement checks; app accesses user data.
• Photos (CVE-2025-43428): Config issue; hidden photos viewable without auth.
• Settings (CVE-2025-43530): Checks issue; app accesses sensitive data.
• Icons (CVE-2025-46279): Permissions; app detects installed apps.
• App Store (CVE-2025-46288): Permissions; app accesses payment tokens.
• MediaExperience (CVE-2025-43475): Logging; app accesses sensitive data.
• Calling Framework / Call History (CVE-2025-46287): UI spoofing; attacker spoofs FaceTime caller ID.
• FaceTime (CVE-2025-43542): State management; password fields revealed during remote control.
Other Components
• AppleJPEG (CVE-2025-43539): Bounds checks; memory corruption via file processing.
• libarchive (CVE-2025-5918): Memory corruption via file processing.
• curl (CVE-2024-7264, CVE-2025-9086): Multiple issues in open-source curl library.
For full details, visit Apple’s security updates page. If you’re on an older version, update immediately to mitigate risks—exploits often target unpatched devices. iOS’s closed ecosystem reduces exposure compared to Android, but vigilance is key.