Your iPhone Just Got Owned: iOS WebKit Zero-Days Require No Click (CVE-2025-43529)

Your iPhone can be compromised by loading a webpage. No click. No download. Just visit the wrong site. Apple patched this a month ago. Only 16% of users have updated. 🤔

StatCounter data from January 2026:

→ iOS 26 (all versions): 16% of iPhones

→ iOS 18 (unpatched): over 60% of iPhones

For comparison, iOS 18 reached 63% adoption by January 2025. iOS 26 is at less than one quarter of that rate. The lowest adoption Apple has seen in years.

On December 12, 2025, Apple released emergency patches for two WebKit bugs already being exploited in targeted attacks. Google’s Threat Analysis Group found them in the wild, used against real people.

→ CVE-2025-43529: Use-after-free in WebKit. Remote code execution through malicious webpage.

→ CVE-2025-14174: Memory corruption in ANGLE graphics library. Shared between Chrome and Safari.

Apple called the attacks “extremely sophisticated” targeting “specific individuals.” That means commercial spyware. The kind used against journalists, activists, and political figures.

How the attack works: You visit a webpage. No click required. The page triggers the use-after-free bug in WebKit. Every browser on iOS uses WebKit under the hood, so Safari, Chrome, Firefox, any browser, they are all affected.

Code executes inside the browser sandbox. The second vulnerability corrupts memory in a way that lets the attacker escape. A kernel exploit grants root access. At that point, the attacker owns your device. Messages, photos, microphone, camera, location. Everything.

The two-day window: Google patched the same ANGLE vulnerability in Chrome on December 10. Apple’s patch came December 12. During those two days, anyone who could reverse-engineer Google’s fix knew exactly which memory handling bug to target on iPhones.

Attackers do this routinely. When Google publishes a Chrome fix, the code changes are public. Anyone can compare the old and new versions, figure out exactly what was vulnerable, and build an exploit for other software that uses the same library before those vendors ship their own patches.

Why people refused to update

Apple made iOS 18.7.3, which patches the same bugs. But they only released it for older iPhones that cannot run iOS 26. The iPhone XS, XS Max, and XR.

Everyone with an iPhone 11 or newer has one option: iOS 26.2.

iOS 26 introduced Liquid Glass, a complete visual redesign. Translucent layers, blurred backgrounds, dynamic depth effects everywhere. Some users find it harder to read. Others report performance issues on older devices. Many just hate how it looks.

Apple briefly allowed a workaround through the iOS 18 beta program. Then they closed that loophole too. So if you have an iPhone 11 or newer and want the security patches, you have to accept the Liquid Glass redesign whether you like it or not.

Apple is testing a fix for future situations like this. iOS 26.3 beta includes “Background Security Improvements,” a system that can push security patches for Safari and WebKit without requiring a full OS update. If it works, users could stay on their current iOS version and still get critical security fixes. But for now it is only in beta testing, so it does not help the 60% of users still running iOS 18 right now.

The pattern: WebKit zero-days are the standard entry point for sophisticated surveillance tools. NSO Group’s Pegasus, Paragon Solutions, Intellexa, they all use this attack pattern: → Find a WebKit bug that triggers on page load

→ Chain it with a sandbox escape

→ Add a kernel exploit

→ Install persistent spyware

The targets are typically journalists, activists, lawyers, anyone who challenges power. But the tools spread. What starts as nation-state capability eventually shows up in broader criminal operations.

Apple has patched nine zero-days exploited in the wild during 2025. Google patched eight in Chrome. Memory corruption in browser engines remains the most valuable attack surface for targeted surveillance.

What to do

→ Update to iOS 26.2

→ iPhone XS, XS Max, or XR: install iOS 18.7.3 instead

→ Handle sensitive information: enable Lockdown Mode (Settings → Privacy and Security → Lockdown Mode)

CISA added both CVEs to their Known Exploited Vulnerabilities catalog. Federal agencies had until January 5 to patch. The adoption numbers show most iPhone users still have not updated.