Apple has issued an urgent security alert to all iPhone users, warning them to immediately update their devices following the discovery of critical vulnerabilities that have already been exploited in targeted attacks.
The tech giant released iOS version 26.2 earlier this month, which contains fixes for two severe security flaws within the WebKit browser engine. Apple confirmed it is 'aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.'
What Were the Critical Security Flaws?
The vulnerabilities resided in WebKit, the software that powers Safari and all other third-party browsers like Chrome and Edge on iPhones. This meant the risk was not confined to a single app.
Exploiting these bugs did not require a user to click a link or enter details, as in a typical phishing scam. Simply visiting a malicious website or loading a compromised advert could have been enough to infect a device.
The first flaw was a 'use-after-free' issue. This could allow a malicious website to infect a device's memory, with the infection persisting even after the user closed the site. This could then be used to execute code, potentially enabling hackers to turn on the microphone, access the camera, or track the phone's GPS location.
The second vulnerability was a memory corruption bug. When rendering website content, hackers could overload data 'boxes' to cause a spillover. This could crash the system or, more dangerously, disable key security features.
Who Was at Risk and What Are the Implications?
While a mass attack on general users is unlikely, the nature of the exploitation suggests high-value targets were at significant risk. Individuals such as journalists, political figures, or human rights activists may have been in the crosshairs.
This pattern aligns with previous campaigns using spyware like Pegasus, which has leveraged similar undisclosed 'zero-day' flaws to take control of devices. The US Cybersecurity and Infrastructure Security Agency (CISA) has since added these bugs to its Known Exploited Vulnerabilities Catalogue, confirming they were used in attacks before a fix was available.
Alongside the WebKit patches, the iOS 26.2 update also fixes other issues, including a configuration bug that could have allowed unauthorised access to the Hidden Photos Album and a problem where password fields were unintentionally revealed during a FaceTime remote control session.
How to Protect Your iPhone Now
Apple and security experts urge all users to install the update immediately. To do this, go to Settings > General > Software Update and download iOS 26.2 if it is available.
If you have automatic updates enabled, your device may already be protected, but it is prudent to check manually. As a temporary protective measure, restarting your iPhone can clear temporary memory and may remove lingering web-based threats, though this is not a guaranteed fix against sophisticated, persistent attacks.
The discovery of these actively exploited flaws serves as a critical reminder of the importance of prompt software updates in maintaining digital security, especially for those who may be targeted for their work or profile.
