Updated on Dec. 12 with the unexpected Friday release of iOS 26.2.
The wait for Apple’s iOS 26.2 is over. Every day this week, reports have suggested “it could be today.” Now it’s here, you need to install the update. Apple warns that two of more than 20 vulnerabilities “may have been exploited in an extremely sophisticated attack,” just days after it issued spyware warnings to users around the world.
The two under attack vulnerabilities affect WebKit, which controls the framework underpinning all iPhone browsers. We often see vulnerabilities and fixes affecting WebKit, given it’s a window on the world, highly valued by attackers targeting iPhones.
CVE-2025-43529 and CVE-2025-14174 were disclosed by Google’s Threat Analysis Group. For both, Apple warns the threat was that “maliciously crafted web content may lead to memory corruption,” affecting devices pre-iOS 26. Tandem vulnerabilities that are linked in this way is a strong hallmark of commercial spyware.
Apple won’t link these vulnerabilities to this month’s spyware warnings, but the timing is notable. It may also explain the delay. The appearance of a second release candidate to beta testers earlier this week suggested some late changes or bugs might need to be addressed. I had suggested mid-December for these next security fixes and that it was unlikely to be released on a Friday. That’s unprecedented — take this seriously.
Apple is pushing iOS 18 holdouts to upgrade to iOS 26, which makes this new update even more important. iOS 26 brings new scam defenses to iPhone, closing the gap to Android, which has these already, as well as anti-fingerprinting defaults in Safari.
Do not wait. Update your iPhone as soon as it’s available. Go to Settings > General > Software Update, and tap to update when iOS 26.2 is there. And as I’ve said before, even if you can stay on iOS 18 and keep it updated — you shouldn’t.
Beyond critical security fixes, the update brings a useful security PIN to AirDrop, better securing file and media transfers to users outside your contacts. There’s also a new, localized emergency alert feature which will request your location data.
The AirDrop PIN comes at an interesting time, with Google having just breached Apple’s walled garden to enable Pixels to connect via the AirDrop protocol. No reason as yet to think the update will hamper that, albeit there’s always speculation Apple will look to shut down this kind of protocol reverse engineering where it can.
Apple releasing the update today, Friday, suggests to me that it’s a more serious set of security fixed than expected. All the more reason to update as soon as you can.
