Apple’s iOS 26.2 fixes two exploited WebKit zero-days, but users say iOS 18.7.3 isn’t offered on iPhones that can run iOS 26—forcing an upgrade for security.
Apple’s latest iPhone security fixes are colliding with a messy software-update reality: if your iPhone can run iOS 26, but you’re still on iOS 18, you may not be offered the smaller iOS 18.7.3 security update at all—leaving iOS 26.2 as the only path to patch two vulnerabilities Apple says were exploited in an “extremely sophisticated” attack. [1]
That combination—active exploitation plus an upgrade-or-stay-exposed dilemma—has turned what would normally be a routine security push into one of the most debated Apple update stories of the week.
What’s happening with the iPhone updates on December 19
Over the past day, complaints have intensified from iPhone owners who deliberately stayed on iOS 18 (for design preferences, app compatibility, or a “wait before major upgrades” mindset). According to a report from Six Colors, many of those users now see only iOS 26.2 in Software Update—despite Apple releasing iOS 18.7.3 to patch the same security issues. [2]
On Apple’s own Support Community, users describe earlier iOS 18 point-updates disappearing and being replaced by a prompt to upgrade to iOS 26.2—particularly on newer iPhones that support iOS 26. [3]
The result, as of today: for a segment of users, Apple’s “security update without major upgrade” safety net appears to be missing—at least through the standard update path.
Why Apple wants you on iOS 26.2 right now
This isn’t just another bug-fix release. Apple’s security documentation for iOS 26.2 and iPadOS 26.2 states the update addresses vulnerabilities including two WebKit issues that may have been exploited in highly targeted attacks on versions of iOS before iOS 26. [4]
Those two WebKit flaws are tracked as:
- CVE-2025-43529 (use-after-free in WebKit)
- CVE-2025-14174 (memory corruption in WebKit)
Apple’s bulletin says it is aware of a report these issues “may have been exploited” in an “extremely sophisticated attack” against specific targeted individuals on iOS versions before iOS 26. [5]
Security reporting this week has emphasized what that wording usually signals: the attacks may have been highly targeted, but once patches ship and details circulate, the risk often expands beyond the original victims. [6]
Why WebKit vulnerabilities are a big deal on iPhone
WebKit isn’t “just Safari.” It’s the core browser engine that handles how web content is processed on Apple platforms—and it’s a common attack surface for spyware-style campaigns because malicious web content can be weaponized against the browser layer. [7]
iOS 18.7.3 exists—so why can’t some iPhones see it?
Apple’s own security page for iOS 18.7.3 / iPadOS 18.7.3 shows it was released on December 12, 2025, and it includes WebKit fixes addressing the same two CVEs. [8]
But here’s the key detail: Apple lists iOS 18.7.3 availability for iPhone XS, iPhone XS Max, and iPhone XR—devices that cannot run iOS 26. [9]
Meanwhile, Apple’s iOS 26.2 bulletin lists compatibility starting at iPhone 11 and later. [10]
So if you’re on an iPhone 11, iPhone 12, iPhone 13, iPhone 14, iPhone 15, or iPhone 16 and you never moved off iOS 18, you’re in the uncomfortable middle ground: you’re eligible for iOS 26.2, but you may not be offered iOS 18.7.3 through the normal update channel—exactly the scenario Six Colors highlighted. [11]
Is Apple “forcing” the upgrade—or is this a bug?
The word “forcing” matters. No one is reporting that Apple is silently upgrading devices without permission. The controversy is about security patch access: if a serious vulnerability is fixed, users expect to be able to install the fix without being pushed into a major OS jump.
Six Colors says Apple hasn’t responded to questions about whether the missing iOS 18.7.3 path is an error, a bug, or a policy decision. [12]
On Apple’s Support Community, one top response frames this as typical: once a device is eligible for a new major iOS generation, the older branch eventually stops being offered for that device—meaning you’ll need the new major version to keep receiving the latest fixes. [13]
What’s new this time is the context: the “upgrade pressure” is landing right as Apple warns about exploited vulnerabilities—making the practical outcome feel like security updates are gated behind iOS 26.2 for some users.
The security story behind the scenes: Google patched one of the same CVEs
One reason this update cycle is drawing extra attention: CVE-2025-14174 wasn’t only an Apple issue.
Google’s Chrome team published a Stable Channel update noting CVE-2025-14174 as an out-of-bounds memory access in ANGLE, reported by Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG). Google also states it is aware an exploit exists in the wild. [14]
SecurityWeek and BleepingComputer reporting connects the dots: Apple credits Google TAG for discovery on one of the WebKit bugs, and describes the attacks as extremely sophisticated—often language used when the victim set is small but high-value. [15]
What you should do right now
If you’re trying to make a decision today, the safest approach depends on your device and your tolerance for major upgrades.
1) If your iPhone supports iOS 26: update to iOS 26.2 for the patch
Apple’s iOS 26.2 security bulletin is explicit that these fixes are in iOS 26.2 for iPhone 11 and later. [16]
How to update:
Settings → General → Software Update → iOS 26.2
Good practice before updating:
- Back up your iPhone (iCloud or computer backup)
- Plug into power and use Wi‑Fi
- Make sure you have enough free storage
2) If your iPhone cannot run iOS 26: install iOS 18.7.3
If you’re on an iPhone XS / XS Max / XR, iOS 18.7.3 is the security path Apple lists and it includes the WebKit fixes. [17]
3) If you’re on a newer iPhone but want to stay on iOS 18: a workaround is being reported (with caveats)
Six Colors reports that some users have gotten iOS 18.7.3 to appear by enrolling in Apple’s public beta program and switching to the iOS 18 public beta track, after which 18.7.3 becomes available. [18]
Important caveat: Apple has not publicly clarified whether this is an intended solution, a temporary configuration issue, or a loophole that could disappear. Six Colors itself notes it’s “a long way to go just to get security fixes.” [19]
If you cover this as a publisher or recommend it to readers, the responsible framing is: this is user-reported behavior and not a confirmed Apple policy statement.
Why this matters beyond one update screen
Apple generally earns praise for supporting older devices with security patches. That’s why the iOS 18.7.3 visibility issue is such a flashpoint: it challenges expectations about how long Apple will keep two branches patched for hardware that could upgrade.
And the urgency is real. Apple’s own language—“exploited,” “extremely sophisticated,” “targeted individuals”—is the kind of warning that security teams take seriously, especially when paired with a parallel patch from Google. [20]
What to watch next
As of December 19, the open questions are straightforward:
- Will Apple re-surface iOS 18.7.3 (or a follow-up iOS 18 security update) for iPhones that can run iOS 26 but haven’t upgraded?
- Will Apple publish guidance explaining whether this is expected behavior or a rollout/configuration issue?
- Will enterprises and schools that delay major upgrades for compatibility reasons get clearer update paths?
Until then, the practical advice is simple: if you can safely move to iOS 26.2, that’s the clearest route to the fixes Apple is warning about today. [21]
References
1. sixcolors.com, 2. sixcolors.com, 3. discussions.apple.com, 4. support.apple.com, 5. support.apple.com, 6. www.bleepingcomputer.com, 7. www.techradar.com, 8. support.apple.com, 9. support.apple.com, 10. support.apple.com, 11. sixcolors.com, 12. sixcolors.com, 13. discussions.apple.com, 14. chromereleases.googleblog.com, 15. www.securityweek.com, 16. support.apple.com, 17. support.apple.com, 18. sixcolors.com, 19. sixcolors.com, 20. support.apple.com, 21. support.apple.com
