Apple Releases Emergency iOS 19.3.2 Update Patching Actively Exploited WebKit Zero-Day

Apple has released emergency security updates for iOS 19.3.2, iPadOS 19.3.2, and macOS Sequoia 15.7.4 to patch CVE-2026-24201, a WebKit vulnerability that the company says has been actively exploited in "extremely sophisticated" targeted attacks. The out-of-band update — Apple's third emergency patch this year — underscores the persistent challenge of securing the web rendering engines that underpin modern mobile browsing.

The Vulnerability

CVE-2026-24201 is a type confusion vulnerability in WebKit's JavaScript engine, JavaScriptCore. A type confusion occurs when the engine incorrectly handles an object as a different type than it actually is, potentially allowing an attacker to execute arbitrary code with the privileges of the browser process. In practical terms, visiting a maliciously crafted website could allow an attacker to break out of the browser sandbox and install surveillance software on the device.

Apple's advisory credits the discovery to Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group — the same team that tracks government-backed surveillance operations and commercial spyware vendors. The involvement of TAG strongly suggests that the vulnerability was being used by a commercial spyware vendor such as NSO Group, Intellexa, or a similar organization.

Scope of Impact

The vulnerability affects all Apple platforms that use WebKit as their rendering engine: iPhone, iPad, Mac, Apple Vision Pro, and Apple Watch. On iOS and iPadOS, all browsers — including Chrome and Firefox — use WebKit under the hood due to Apple's App Store policies, meaning every iPhone user is potentially affected regardless of their browser choice.

Apple describes the attacks as "targeted," suggesting that the exploit was used against specific individuals rather than in broad campaigns. However, once a zero-day exploit becomes publicly known through a patch, it is common for other threat actors to reverse-engineer the fix and develop their own exploits targeting unpatched devices.

Update Urgency

Security researchers are urging immediate updates for all Apple devices. The combination of active exploitation, remote code execution capability, and the universal exposure of WebKit on Apple platforms makes this one of the highest-priority patches of 2026. Users can update through Settings, then General, then Software Update on iOS devices, or through System Settings, then Software Update on Mac.

This is the third actively exploited zero-day that Apple has patched in 2026, following fixes in January and February. The pace of zero-day disclosures reflects both improved detection capabilities by security researchers and the growing sophistication of commercial spyware operations.