The most prominent recent Apple iOS vulnerability issue involves two zero-day exploits in the WebKit rendering engine, which were actively used in sophisticated, targeted attacks against specific individuals prior to the release of iOS 26.2 and iPadOS 26.2 on December 12, 2025.
These flaws could allow attackers to execute arbitrary code by tricking users into processing maliciously crafted web content, such as visiting a compromised website.
Details of the Zero-Day Vulnerabilities
• CVE-2025-43529 (WebKit Memory Corruption): This issue stemmed from inadequate validation during web content processing, potentially leading to memory corruption and subsequent code execution. Apple addressed it by implementing improved validation checks in WebKit.
• CVE-2025-43529 (WebKit Use-After-Free): A related flaw involved improper memory management (use-after-free), which could also result in arbitrary code execution. It was fixed through enhanced memory management in WebKit. This was reported by the Google Threat Analysis Group.
These were part of a broader security update patching over 20 vulnerabilities across components like the kernel, App Store, FaceTime, and more. For instance:
• CVE-2025-46285 (Kernel): An integer overflow could allow an app to escalate to root privileges; fixed by switching to 64-bit timestamps.
• CVE-2025-46288 (App Store): A permissions flaw might let apps access sensitive payment tokens; resolved with added restrictions.
Apple recommends updating immediately to iOS 26.2 (or later) via Settings > General > Software Update to mitigate these risks, as the exploits were limited but highly targeted. No widespread incidents have been reported, but the fixes prevent potential spyware or data theft in attack scenarios. For the full list of addressed CVEs, see Apple’s official security content page.