Apple is warning that hundreds of millions of iPhones may still be vulnerable to active attacks due to a serious Safari security flaw, according to details disclosed in a recent Apple security update that confirmed the issue was already being exploited in the wild.
The iPhone is the most widely used smartphone in the United States and one of the most popular devices globally, with an estimated 1.6 billion active users. That enormous install base also makes it a prime target for attackers. New estimates suggest that as many as half of all iPhone users worldwide may not have installed the latest update, leaving hundreds of millions of devices potentially exposed.
Apple confirmed that the vulnerability lies in WebKit, the browser engine that powers Safari and every browser on iOS. The flaw allows malicious websites to run unauthorized code on an iPhone or iPad simply by being visited. In practice, this means attackers could steal passwords, access private data, or compromise payment information without the user realizing what happened. Apple described the attacks as extremely sophisticated and targeted, but once technical details become public, wider exploitation becomes more likely.
Despite Apple releasing a fix quickly, adoption has been slow. Estimates indicate that roughly 50 percent of eligible users have not upgraded from iOS 18 to iOS 26. Some analytics firms put the figure even lower, suggesting only around 20 percent of users have updated so far. That delay dramatically increases risk, because attackers now know exactly which weakness to target.
Apple says the issue affects iPhone 11 and newer models, along with multiple generations of iPads, including recent iPad Pro, iPad Air, iPad, and iPad mini devices. Any of these products remain vulnerable if they have not been updated to the latest software.
There is no workaround for the flaw and no setting users can change to protect themselves. Security experts stress that safe browsing habits alone are not enough because the vulnerability exists deep inside the browser engine. Apple is also no longer offering security-only patches for users who stay on older versions. Unless a device is incapable of running the new software, the fix is only available through iOS 26.2 and iPadOS 26.2 or later.
Updating takes only a few minutes and can be done by opening Settings, tapping General, selecting Software Update, and installing the latest version while connected to Wi-Fi. Automatic updates may already have applied the fix for some users, but many devices still remain unpatched. If you’re still stuck on iOS 18, it is advisable to regularly reboot your phone to kill any malicious software running in the background.
Apple
Keeping iOS up to date is the most important step, but experts also recommend additional protection. Security tools that block malicious websites and flag suspicious links can help reduce exposure to future attacks that exploit compromised pages or newly discovered browser flaws. Software updates close known holes, but layered protection helps defend against what comes next.