On Friday, Apple dropped iOS 26.2. Despite being the third update in the iOS 26 era, 26.2 still adds some interesting and useful new features, like alarms for reminders and refinements to the Sleep Score on Apple Watch.

Updates aren’t all about the features, however. Apple typically includes a number of security patches with its software releases as well, which makes each update important to install. You don’t always need to install the latest version of iOS or macOS to benefit from these security patches, either: Apple usually releases important security patches for some older versions of its software. iPhones running iOS 18 can install the same security patches as those running iOS 26, as can Mac users running macOS Sequoia or Sonoma, rather than Tahoe.

All that to say, Apple’s update today comes with a series of patches you’ll want to install on your iPhone—no matter what software version you’re currently running. This particular release ships with 25 patches, and while some of them seem only pertinent to software developers, others are plainly serious.

iOS 26.2 patches some serious security vulnerabilities

Perhaps most importantly from a security perspective, this release includes two patches for potential zero-day vulnerabilities. Zero-day flaws are especially dangerous as they are either publicly disclosed or actively exploited before a developer has a chance to issue a patch—leaving users vulnerable to attack.

Both flaws (CVE-2025-43529 and CVE-2025-14174) affect WebKit, Apple’s platform for developing Safari and web browsers on iPhone. Before Apple patched these issues, bad actors could present users with malicious web content. Once the user processes it on their iPhone, it could lead to arbitrary code execution, which, essentially, allows the bad actor to run whatever code they want on your iPhone. Apple says it is aware of reports that these two flaws may have been exploited in “an extremely sophisticated attack against specific targeted individuals” in versions of iOS older than iOS 26.

This is not the first time Apple has patched flaws with this warning. Due to the iPhone’s popularity, these flaws are valuable to governments and other large-scale actors that target high-profile individuals, like journalists and politicians. Apple will even send these users warnings when their iPhone has been identified in such an attack. While the risk is low that the average iPhone user will be targeted in one of these campaigns, it’s not impossible, which means it’s important to update as soon as a patch is available. These apply to other Apple devices too, like Macs, so update all devices as soon as possible.

While those two flaws are the most important of the bunch to fix, there are others here that you’ll want to fix ASAP. One of the first to jump out at me was a “Calling Framework” flaw that allows bad actors to spoof their FaceTime caller ID. With the rise of AI scams, bad actors could create an AI voice that sounds like someone you know, and spoof their contact so it looks like they’re calling you over FaceTime audio. This update patches that possibility—at least, as far as spoofing is concerned.

Speaking of FaceTime, this update also patches a flaw that sometimes reveals password fields when remotely controlling a device over FaceTime. If you were sharing your screen with someone over a video call, they might be able to see when you typed in your password and use that against you. There’s also a patch for an issue that allowed an app to see other apps you had installed on your device—a major privacy and security vulnerability.

If you use the Photos’ app Hidden feature to hide sensitive pictures you don’t want others to see, you’ll want to install this update ASAP, too: Previous versions of iOS contained a bug that made it possible to view these hidden photos without authentication.

iOS 26.2 security release notes

If you’re interested in seeing all of Apple’s security patches in this update, the full release notes are as follows:

App Store

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to access sensitive payment tokens

• Description: A permissions issue was addressed with additional restrictions.

• CVE-2025-46288: floeki, Zhongcheng Li from IES Red Team of ByteDance

AppleJPEG

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing a file may lead to memory corruption

• Description: The issue was addressed with improved bounds checks.

• CVE-2025-43539: Michael Reeves (@IntegralPilot)

Calling Framework

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An attacker may be able to spoof their FaceTime caller ID

• Description: An inconsistent user interface issue was addressed with improved state management.

• CVE-2025-46287: an anonymous researcher, Riley Walz

curl

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Multiple issues in curl

• Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

• CVE-2024-7264, CVE-2025-9086

FaceTime

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Password fields may be unintentionally revealed when remotely controlling a device over FaceTime

• Description: This issue was addressed with improved state management.

• CVE-2025-43542: Yiğit Ocak

Foundation

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to inappropriately access files through the spellcheck API

• Description: A logic issue was addressed with improved checks.

• CVE-2025-43518: Noah Gregory (wts.dev)

Foundation

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing malicious data may lead to unexpected app termination

• Description: A memory corruption issue was addressed with improved bounds checking.

• CVE-2025-43532: Andrew Calvano and Lucas Pinheiro of Meta Product Security

Icons

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to identify what other apps a user has installed

• Description: A permissions issue was addressed with additional restrictions.

• CVE-2025-46279: Duy Trần (@khanhduytran0)

Kernel

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to gain root privileges

• Description: An integer overflow was addressed by adopting 64-bit timestamps.

• CVE-2025-46285: Kaitao Xie and Xiaolong Bai of Alibaba Group

libarchive

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing a file may lead to memory corruption

• Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.

• CVE-2025-5918

MediaExperience

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to access user-sensitive data

• Description: A logging issue was addressed with improved data redaction.

• CVE-2025-43475: Rosyna Keller of Totally Not Malicious Software

Messages

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to access sensitive user data

• Description: An information disclosure issue was addressed with improved privacy controls.

• CVE-2025-46276: Rosyna Keller of Totally Not Malicious Software

Multi-Touch

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: A malicious HID device may cause an unexpected process crash

• Description: Multiple memory corruption issues were addressed with improved input validation.

• CVE-2025-43533: Google Threat Analysis Group

Photos

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Photos in the Hidden Photos Album may be viewed without authentication

• Description: A configuration issue was addressed with additional restrictions.

• CVE-2025-43428: an anonymous researcher, Michael Schmutzer of Technische Hochschule Ingolstadt

Screen Time

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to access a user’s Safari history

• Description: A logging issue was addressed with improved data redaction.

• CVE-2025-46277: Kirin (@Pwnrin)

Screen Time

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to access sensitive user data

• Description: A logging issue was addressed with improved data redaction.

• CVE-2025-43538: Iván Savransky

Telephony

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: An app may be able to access user-sensitive data

• Description: This issue was addressed with additional entitlement checks.

• CVE-2025-46292: Rosyna Keller of Totally Not Malicious Software

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

• Description: A type confusion issue was addressed with improved state handling.

• WebKit Bugzilla: 301257

• CVE-2025-43541: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to an unexpected process crash

• Description: A use-after-free issue was addressed with improved memory management.

• WebKit Bugzilla: 301726

• CVE-2025-43536: Nan Wang (@eternalsakura13)

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to an unexpected process crash

• Description: The issue was addressed with improved memory handling.

• WebKit Bugzilla: 300774

• WebKit Bugzilla: 301338

• CVE-2025-43535: Google Big Sleep, Nan Wang (@eternalsakura13)

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to an unexpected process crash

• Description: A buffer overflow issue was addressed with improved memory handling.

• WebKit Bugzilla: 301371

• CVE-2025-43501: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to an unexpected process crash

• Description: A race condition was addressed with improved state handling.

• WebKit Bugzilla: 301940

• CVE-2025-43531: Phil Pizlo of Epic Games

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.

• Description: A use-after-free issue was addressed with improved memory management.

• WebKit Bugzilla: 302502

• CVE-2025-43529: Google Threat Analysis Group

WebKit

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.

• Description: A memory corruption issue was addressed with improved validation.

• WebKit Bugzilla: 303614

• CVE-2025-14174: Apple and Google Threat Analysis Group

WebKit Web Inspector

• Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

• Impact: Processing maliciously crafted web content may lead to an unexpected process crash

• Description: A use-after-free issue was addressed with improved memory management.

• WebKit Bugzilla: 300926

• CVE-2025-43511: 이동하 (Lee Dong Ha of BoB 14th)