Apple warned iPhone users to update their devices after fixing two WebKit security flaws that it says were used in “extremely sophisticated” targeted attacks. The attacks affected iOS versions released before iOS 26, raising concern for users who have not installed recent updates.
According to Apple, the fixes are available in iOS 26.2 for newer iPhones and iOS 18.7.3 for older models. The company also asked users to restart their devices after updating to reduce the immediate risk.
WebKit powers Safari and handles much of the web content on iPhones. One of the flaws could allow an attacker to run code on a device by tricking a user into loading malicious web content. That means an attack can start from a web page, without installing an app.
The National Vulnerability Database explained that this type of bug allows arbitrary code execution. In simple terms, a carefully crafted website can take control of parts of a phone if the software is outdated.
Many iPhones still run older software
A large number of iPhones still appear to run older versions of iOS. That creates an opening for targeted attacks, especially when users delay updates.
StatCounter reported that iOS 26.2 showed very low adoption in December tracking data. The firm also noted reporting issues that made it harder to see the real numbers, since some newer versions appeared as older releases in Safari data.
Apple released the fixes
Apple shipped iOS 26.2 for iPhone 11 and later, and iOS 18.7.3 for devices like the iPhone XS, XS Max, and XR on December 12, 2025. The same update cycle included fixes for Safari and other Apple platforms.
Apple Support advised users to update through Settings, then General, and finally Software Update. Apple stressed that keeping devices updated is one of the most important steps for security.
Restarting an iPhone can help in the short term, but it does not replace installing updates.
Malwarebytes researcher Pieter Arntz explained that a restart clears malware that only lives in memory, unless it has gained persistence. He also warned that assuming you are not a target is not a safe approach.
Apple has not shared details about who was targeted or how many devices were affected. What remains clear is the takeaway. Update to the latest iOS version for your device and reboot. Web attacks do not need apps, and slow updates leave space for attackers to operate.
