Apple's iOS 26.2 and iPadOS 26.2 updates include a variety of fixes, introduced to keep user data secure. Here's what you need to know, and why you should consider updating right away.

On Friday, after a series of developer betas and two separate release candidate builds, Apple made iOS 26.2 available to the general public. While the update contains new features, including one-time AirDrop codes and automatic chapter generation in Podcasts, the software also patches multiple vulnerabilities.

Notably, Apple patched two WebKit issues that appear to have been used for targeted attacks on older iOS versions, as well as vulnerabilities that gave apps root permissions. FaceTime caller ID spoofing is now more difficult to execute, as is getting to users' Safari browsing history or saved passwords.

In short, Apple's latest iOS 26 update means that attackers won't have as many vulnerabilities to exploit, making the iPhone operating system safer for the average user.

The iOS 26.2 fixes that keep your data safe

Friday's iOS 26.2 update introduces four security fixes that prevent apps from accessing sensitive user data. Apple addressed vulnerabilities across many areas of the iPhone operating system, meaning that attackers will have a much more difficult time accessing users' private information.

Smartphone screen displaying a photo customization feature with blurred mosaic, a sleeping cat labeled Harvie, and a fighter jet labeled Favorites.

A now-patched vulnerability enabled unauthorized access to the Photos app.

Broadly, iOS 26.2 resolved issues with the software's Messages and Phone apps. The update also addressed security vulnerabilities that affected the ScreenTime and MediaExperience features, thereby stopping applications from gaining access to the sensitive data of iPhone users.

To be more specific, an information disclosure issue related to iMessage was addressed by Apple via improved privacy controls. The vulnerability was discovered by Rosyna Keller of Totally Not Malicious Software and is designated as CVE-2025-46276.

For ScreenTime, Apple resolved a logging issue, now known as CVE-2025-43538, by improving data redaction. An arguably similar issue related to the Phone app, with the designation CVE-2025-46292, was addressed by including additional entitlement checks. CVE-2025-43475, a now-patched logging issue related to the MediaExperience component of iOS, was addressed with improved data redaction.

Apple's video communication app, FaceTime, meanwhile, had an issue where password fields could be unintentionally revealed when remotely controlling a device via the FaceTime application. iOS 26.2 resolves the vulnerability, known as CVE-2025-43542, through improved state management.

Also in the iOS 26.2 update is a security fix that keeps users' photos safe from attackers. Through additional restrictions, the company addressed a configuration issue that enabled access to the Hidden Photos Album without prior authentication.

The now-patched vulnerability has been designated as CVE-2025-43428 and was found by Michael Schmutzer of Technische Hochschule Ingolstadt and an anonymous researcher.

For the App Store, Apple used additional restrictions to resolve a permissions issue that let apps access sensitive payment tokens. CVE-2025-46288, as the now-patched vulnerability is known, was discovered by floeki and Zhongcheng Li from IES Red Team of ByteDance.

A new fix related to icons prevents individual apps from identifying other applications installed on an iPhone. Apple addressed a permissions issue, now labeled as CVE-2025-46279, with additional restrictions.

The iOS 26.2 fixes that prevent root privileges, memory corruption, more

iOS 26.2 contains a major Kernel-related fix. Specifically, a now-patched integer overflow made it possible for a malicious application to gain root privileges. Apple addressed the vulnerability, known as CVE-2025-46285, by adopting 64-bit timestamps.

Smartphone face down on a wooden table with a blurry screen and autumn leaves around.

A kernel-related fix in iOS 26.2 prevents apps from gaining root privileges.

Apple also included four separate fixes to prevent memory corruption on iOS 26.2. Issues related to AppleJPEG, Foundation, and Multi-Touch were found, along with a security issue in the open-source component libarchive. The vulnerabilities that facilitated memory corruption were resolved through improvements to input validation and bounds checking, with other solutions being utilized as well.

Another security fix aimed at stopping bad actors was added to Apple's Calling Framework. With iOS 26.2, Apple addressed an inconsistent user interface issue with improved state management, thereby stopping attackers from spoofing their FaceTime caller ID. The vulnerability, patched with iOS 26.2, is known as CVE-2025-46287.

With iOS 26.2, Apple patched a Foundation vulnerability that let applications "inappropriately access files through the spellcheck API." CVE-2025-43518, discovered by Noah Gregory, was dealt with via improved checks.

WebKit and Safari fixes in iOS 26.2

With iOS 26.6, Apple addressed eight different WebKit vulnerabilities and introduced a fix related to Safari browsing history. All of the now-patched security issues involved processing malicious web content, though the consequences of them were somewhat different.

Two smartphones display a keyboard review and hotel information on a dark background. Bold colored text highlights features like article summaries, relevant data, and travel highlights with maps and amenities.

iOS 26.2 includes multiple fixes related to WebKit.

CVE-2025-43501, CVE-2025-43531, and CVE-2025-43511 all allowed for an unexpected process crash whenever malicious web content was processed. CVE-2025-43541, meanwhile, similarly caused an unexpected process crash of the Safari web browser.

Through improved data redaction, Apple also resolved an issue related to the ScreenTime feature, which allowed apps to access a user's Safari history. The now-addressed vulnerability has been designated as CVE-2025-46277.

Crucially, however, iOS 26.2 includes fixes for two WebKit vulnerabilities that "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."

To be more specific, a use-after-free issue, discovered by the Google Threat Analysis Group, was addressed with improved memory management. The now-patched vulnerability, known as CVE-2025-43529, enabled arbitrary code execution when malicious web content was processed.

Similarly, a memory corruption issue, found by Apple and the Google Threat Analysis Group, was resolved through improved validation. Unlike the previous WebKit vulnerability, CVE-2025-14174 allowed for memory corruption rather than arbitrary code execution.

Overall, the iOS 26.2 update contains 25 different security fixes and patches a wide variety of vulnerabilities. The full list of security updates and fixes for iOS 26.2 can be seen on Apple's website.

It's important to always keep your operating system up-to-date. Apple's latest security fixes ensure that bad actors have a much more difficult time obtaining your private user data, on some occasions even patching exploits used in targeted attacks, as was the case with the iOS 26.2 update.