Apple has begun immediate distribution of a critical security update aimed at mitigating severe vulnerabilities identified in its mobile and desktop operating systems. The new build, identified as iOS 26.2, was developed to fix flaws that, according to technical reports, were being actively exploited by malicious actors. The company confirmed that the loopholes allowed the execution of unauthorized codes through manipulated web content, putting the integrity of user data at risk.
The central focus of this update lies on WebKit, the rendering engine used by the Safari browser and several other applications that access the internet in the Apple ecosystem. The discovered flaw allowed cybercriminals or mercenary spyware vendors to utilize web pages specifically designed to corrupt device memory. Once compromised, the system could grant unrestricted access to sensitive information, such as messages, location and private files, without the device owner realizing the intrusion.
Cybersecurity experts warn that the nature of the flaws fixed is classified as “zero-day”, a term used to describe vulnerabilities that were unknown to developers until the moment they were exploited in real attacks. The urgency of the update reflects the seriousness of the situation, as there was no prior defense against these incursions before the release of the correction patch.
Technical details of the fixed vulnerabilities
The flaws were officially cataloged under the codes CVE-2025-43529 and CVE-2025-14174, serving as a global reference for researchers and system administrators. The technical documentation points out that the main problem involved a buffer overflow in WebKit’s memory management. When processing certain types of malicious web content, the system failed to contain the data within the allocated limits, allowing external instructions to be written and executed in the processor’s privileged memory.
This breach affected not only the Apple’s native browser, but also third-party browsers installed on the devices, such as Chrome and Firefox, since the iOS architecture requires the use of the WebKit engine to render pages. The breadth of the attack vector meant that any application capable of opening a web page could, in theory, serve as a gateway to device compromise, significantly expanding the risk surface for end users.
The fix implemented in iOS 26.2 introduces stricter input validation checks and improves memory state management. Essas Structural changes to the code are intended to prevent buffer overflows from occurring, neutralizing the effectiveness of exploits designed to take advantage of this specific weakness.
Spyware Impact and Security Context
The discovery of these vulnerabilities is directly linked to the actions of companies that develop highly complex digital surveillance software. Historicamente, flaws in WebKit have been the preferred target for the installation of sophisticated spyware, used to monitor journalists, political activists and state figures. Access gained through these flaws allows full control of the microphone and camera, transforming the smartphone into a remote spying tool.
The digital threat landscape has evolved towards attacks that do not require user interaction, known as “zero-click”. Embora to Apple did not specify whether the current flaws allowed this type of attack, the immediate update recommendation suggests a high level of danger. Protecting personal data on mobile devices has become a constant race between security engineers and attackers looking for new ways to bypass operating system barriers.
For users who consider themselves to be at high risk of targeted attacks, Apple recommends enabling “Bloqueio Mode”. Este extreme feature drastically limits the device’s functionality, blocking the execution of complex scripts on the web and restricting the receipt of attachments, which reduces the attack avenues available for malicious software.
The update also covers fixes for the operating system kernel, the deepest part of the software that controls the hardware. Modificações were designed to prevent malicious applications from being able to elevate their access privileges, ensuring that even if a barrier is breached, the attacker will encounter additional difficulties in taking full control of the device.
Compatible devices and installation procedure
The new version of the operating system is available for a wide range of devices, ensuring that most equipment in active use can be protected. The compatibility list includes iPhone 15 and later models, all versions of iPad Pro and iPad Air, and Mac computers that must be updated to macOS The company has also released corresponding fixes for Apple Watch and visionOS, ensuring the integrity of the entire product ecosystem.
To carry out the installation, users must access the Ajustes menu on their devices, navigate to the Geral section and select the Atualização option from Software. The system will automatically search for the latest version and request permission to download and install the data package. It is recommended that the device is connected to a stable Wi-Fi network and has at least 50% battery or connected to the charger throughout the process.
Those who have older devices that do not support iOS 26 also received attention from the manufacturer. Versões specific security measures, such as iOS 18.7.3, have been made available to ensure that previous generation hardware does not remain vulnerable to the same critical web content processing flaws.