Fixed: An app may be able to access sensitive payment tokens
iOSApple
iOS 26.2 and iPadOS 26.2
Released December 12, 2025
App Store
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive payment tokens
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-46288: floeki, Zhongcheng Li from IES Red Team of ByteDance
AppleJPEG
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a file may lead to memory corruption
Description: The issue was addressed with improved bounds checks.
CVE-2025-43539: Michael Reeves (@IntegralPilot)
Calling Framework
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An attacker may be able to spoof their FaceTime caller ID
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2025-46287: an anonymous researcher, Riley Walz
curl
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Multiple issues in curl
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2024-7264
CVE-2025-9086
FaceTime
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Password fields may be unintentionally revealed when remotely controlling a device over FaceTime
Description: This issue was addressed with improved state management.
CVE-2025-43542: Yiğit Ocak
Foundation
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to inappropriately access files through the spellcheck API
Description: A logic issue was addressed with improved checks.
CVE-2025-43518: Noah Gregory (wts.dev)
Foundation
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing malicious data may lead to unexpected app termination
Description: A memory corruption issue was addressed with improved bounds checking.
CVE-2025-43532: Andrew Calvano and Lucas Pinheiro of Meta Product Security
Icons
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to identify what other apps a user has installed
Description: A permissions issue was addressed with additional restrictions.
CVE-2025-46279: Duy Trần (@khanhduytran0)
Kernel
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to gain root privileges
Description: An integer overflow was addressed by adopting 64-bit timestamps.
CVE-2025-46285: Kaitao Xie and Xiaolong Bai of Alibaba Group
libarchive
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing a file may lead to memory corruption
Description: This is a vulnerability in open source code and Apple Software is among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
CVE-2025-5918
MediaExperience
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43475: Rosyna Keller of Totally Not Malicious Software
Messages
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: An information disclosure issue was addressed with improved privacy controls.
CVE-2025-46276: Rosyna Keller of Totally Not Malicious Software
Multi-Touch
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: A malicious HID device may cause an unexpected process crash
Description: Multiple memory corruption issues were addressed with improved input validation.
CVE-2025-43533: Google Threat Analysis Group
Photos
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Photos in the Hidden Photos Album may be viewed without authentication
Description: A configuration issue was addressed with additional restrictions.
CVE-2025-43428: an anonymous researcher, Michael Schmutzer of Technische Hochschule Ingolstadt
Screen Time
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access a user’s Safari history
Description: A logging issue was addressed with improved data redaction.
CVE-2025-46277: Kirin (@Pwnrin)
Screen Time
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access sensitive user data
Description: A logging issue was addressed with improved data redaction.
CVE-2025-43538: Iván Savransky
Telephony
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed with additional entitlement checks.
CVE-2025-46292: Rosyna Keller of Totally Not Malicious Software
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A type confusion issue was addressed with improved state handling.
WebKit Bugzilla: 301257
CVE-2025-43541: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 301726
CVE-2025-43536: Nan Wang (@eternalsakura13)
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 300774
WebKit Bugzilla: 301338
CVE-2025-43535: Google Big Sleep, Nan Wang (@eternalsakura13)
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A buffer overflow issue was addressed with improved memory handling.
WebKit Bugzilla: 301371
CVE-2025-43501: Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A race condition was addressed with improved state handling.
WebKit Bugzilla: 301940
CVE-2025-43531: Phil Pizlo of Epic Games
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 302502
CVE-2025-43529: Google Threat Analysis Group
WebKit
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.
Description: A memory corruption issue was addressed with improved validation.
WebKit Bugzilla: 303614
CVE-2025-14174: Apple and Google Threat Analysis Group
WebKit Web Inspector
Available for: iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 300926
CVE-2025-43511: 이동하 (Lee Dong Ha of BoB 14th)
