Apple Patches Actively Exploited WebKit Zero-Day in iOS and macOS

Wednesday, February 25, 2026 at 06:00 PM UTC·Source: Apple / Citizen Lab

Updated: Thursday, February 26, 2026 at 10:00 AM UTC

Executive Summary

Apple releases emergency updates for iOS 18.4 and macOS 15.4 to fix WebKit zero-day used in targeted attacks. Sophisticated exploit chain confirmed.

Analysis

Apple has released emergency security updates for CVE-2026-23529, a use-after-free vulnerability in WebKit being actively exploited in "extremely sophisticated" targeted attacks. The vulnerability affects iOS, iPadOS, macOS, visionOS, and Safari. Apple credits Citizen Lab for the discovery, suggesting surveillance-related exploitation. Update to iOS 18.4, macOS 15.4, and Safari 18.4 immediately.

Timeline

Discovered

Feb 20, 2026

Exploitation Detected

Feb 20, 2026

Published

Feb 25, 2026

Patch Available

Feb 25, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-23529

NVD MITRE CVE

Source Attribution

Originally published by Apple / Citizen Lab on Feb 25, 2026. Verified by: Apple, Citizen Lab.

Related Threats

LOWZero Day

EvilTokens abuses Microsoft device code flow for account takeovers

A new phishing-as-a-service (PhaaS) campaign is abusing Microsoft’s device code authentication flow to gain unauthorized access to user accounts. Sekoia researchers first spotted the toolkit “EvilTokens” that lets attackers capture authentication tokens by tricking users into completing a legitimate login process in Microsoft’s own environment. The activity, observed since at least mid-February, r

16h agoCSO Online

CRITICALZero Day

Cybersecurity in the age of instant software

AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an application on demand — a spreadsheet, for example — and delete it when you’re done using it than to buy one commercially. Future systems could include a

20h agoCSO Online

CRITICALZero Day

Hackers exploit TrueConf zero-day to push malicious software updates

Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints. [...]

1d agoBleepingComputer