Apple is urging iPhone and iPad users to promptly update their devices following the discovery of critical vulnerabilities. These flaws, identified in WebKit—the engine that underpins Safari and other iOS browsers—pose a significant threat, particularly because they are part of what has been described as a highly sophisticated attack aimed at specific targets. The primary danger originates from malicious websites capable of executing harmful code on your device, potentially allowing hackers to gain unauthorized control or execute code without your consent.

For those who have automatic updates enabled, the latest security patch should have been installed automatically. However, users who haven’t enabled this feature will need to manually update their devices to iOS 26.2 or iPadOS 26.2 via their settings. The devices most susceptible to these vulnerabilities include the iPhone 11 and newer models, iPad Pro 12.9-inch (3rd generation onwards), and iPad Pro 11-inch (1st generation and newer). Additionally, iPad Air users (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later) are also at risk.

These security gaps are classified as zero-day vulnerabilities, a term used for flaws that are unknown to the software developers and could be exploited by cybercriminals before a fix is available. Both Apple and Google’s Threat Analysis Group have been instrumental in identifying these issues, highlighting the potential for severe cyberattacks if not promptly addressed. In response, Apple has released updates not only for iOS and iPadOS but also for other systems including macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2, underscoring the broad scope of this security threat.

One issue, called a use-after-free bug, is a memory problem that Apple resolved by improving how the device manages temporary data. Apple labeled the flaw as CVE-2025-43529. Another, known as a memory corruption bug, was fixed by adding stricter checks to prevent errors. This one was labeled as CVE-2025-14174. ‘For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,’ the tech giant said in a release.

Cybersecurity expert Kurt Knutsson shared how iPhone users can protect themselves from such vulnerabilities. Knutsson wrote for FOX Newsthat installing updates immediately is crucial because zero-day attacks often rely on catching users off guard with outdated software. Enable automatic updates on all your Apple devices so that patches are applied as soon as they’re released. That way, even if you miss the announcement, your device stays protected without you having to lift a finger. Many WebKit exploits begin with malicious websites. To stay safe, avoid clicking on unexpected links sent via SMS, WhatsApp, Telegram or email.

If a link seems suspicious, type the website address directly into your browser instead of tapping it, Knutsson explained. The most effective way to protect yourself from links that could install malware or steal your personal information is to use antivirus software on all your devices. Good security software can also warn you about phishing emails and ransomware, helping keep your personal data and digital assets secure. Targeted attacks often begin with profiling, and the more personal information about you available online, the easier it is for attackers to pick you as a target. Limiting your exposure by adjusting social media privacy settings and removing data from broker sites can help reduce your visibility.

While no service can completely erase your information from the internet, using a data removal service is a smart choice, said Knutsson. These services actively monitor and systematically delete your personal information from hundreds of websites. Though they can be expensive, they provide peace of mind and are one of the most effective ways to protect your privacy. By minimizing the data available about you, it becomes much harder for scammers to combine breached information with what’s publicly online, lowering your risk of being targeted.