When is Apple’s critical update coming to your iPhone?
Getty Images
Updated on Dec. 13 with additional detail on the security implications for users.
The wait for Apple’s iOS 26.2 is over. Every day this week, reports have suggested “it could be today.” Now it’s here, you need to install the update. Apple warns that two of more than 20 vulnerabilities “may have been exploited in an extremely sophisticated attack,” just days after it issued spyware warnings to users around the world.
The two under attack vulnerabilities affect WebKit, which controls the framework underpinning all iPhone browsers. We often see vulnerabilities and fixes affecting WebKit, given it’s a window on the world, highly valued by attackers targeting iPhones.
CVE-2025-43529 and CVE-2025-14174 were disclosed by Google’s Threat Analysis Group. For both, Apple warns the threat was that “maliciously crafted web content may lead to memory corruption,” affecting devices pre-iOS 26. Tandem vulnerabilities that are linked in this way is a strong hallmark of commercial spyware.
ForbesCISA Warns Chrome And Edge Users: Update Now—Attacks Have StartedBy Zak Doffman
The appearance of a second release candidate to beta testers earlier this week suggested some late changes or bugs might need to be addressed. I had suggested mid-December for these next security fixes and that it was unlikely to be released on a Friday.
That’s unprecedented — take this seriously.
Apple is pushing iOS 18 holdouts to upgrade to iOS 26, which makes this new update even more important. iOS 26 brings new scam defenses to iPhone, closing the gap to Android, which has these already, as well as anti-fingerprinting defaults in Safari.
Do not wait. Update your iPhone as soon as it’s available. Go to Settings > General > Software Update, and tap to update when iOS 26.2 is there. And as I’ve said before, even if you can stay on iOS 18 and keep it updated — you shouldn’t.
Beyond critical security fixes, the update brings a useful security PIN to AirDrop, better securing file and media transfers to users outside your contacts. There’s also a new, localized emergency alert feature which will request your location data.
The AirDrop PIN comes at an interesting time, with Google having just breached Apple’s walled garden to enable Pixels to connect via the AirDrop protocol. No reason as yet to think the update will hamper that, albeit there’s always speculation Apple will look to shut down this kind of protocol reverse engineering where it can.
Apple releasing the update on a Friday suggests to me that it’s a more serious set of security fixed than expected. All the more reason to update as soon as you can.
The response to iOS 26.2 backs up that assumption, that this is more serious than expected. Per Cyber Press, “both vulnerabilities were discovered in collaboration with Google’s Threat Analysis Group (TAG) and were linked to targeted exploitation campaigns targeting iOS 26 and earlier. Apple confirmed these issues may have been used in sophisticated attacks against specific individuals, suggesting the flaws could have been part of a zero-day exploitation chain designed for espionage or surveillance.”
ForbesDangerous December—Why You Must Update Your iPhone Or Android Phone NowBy Zak Doffman
The fact that actively exploited vulnerabilities are linked also strongly suggests a chained spyware attack. That they were disclosed jointly by Apple and Google all but confirms it. “In all probability, these vulnerabilities have been chained to achieve exploitation,” Mayuresh Dani from Qualys told me. A chained attack is often where one exploit destabilizes a system and other exploits use the open door to target specific apps.
The Hacker News reports that same. The linkages and Apple/Google disclosure “indicates that the vulnerabilities were likely weaponized in highly-targeted mercenary spyware attacks, given that they both affect WebKit, the rendering engine that’s also used in all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.”
While Apple has emphasized that these attacks are highly targeted, James Maude from BeyondTrust warns that it won’t stay that way for long. ““Even though this only appears to be linked to a small number of targeted attacks it will quickly become a must have exploit for a range of threat actors.”