Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that the company announced were being exploited in the wild. One of them is the same flaw that Google patched in Chrome earlier this week.
The vulnerabilities are listed below.
- CVE-2025-43529 (CVSS Score: N/A) – A use-after-free vulnerability in WebKit could potentially lead to arbitrary code execution when processing maliciously crafted web content.
- CVE-2025-14174 (CVSS Score: 8.8) – A memory corruption issue in WebKit could lead to memory corruption when processing maliciously crafted web content.
Apple said it was aware that the flaw “could have been exploited in highly sophisticated attacks against specific targets in versions of iOS prior to iOS 26.”
It’s worth noting that CVE-2025-14174 is the same vulnerability that Google issued a patch for its Chrome browser on December 10, 2025. The vulnerability is described by the tech giant as an out-of-bounds memory access in its open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically the Metal renderer.
Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) are credited with discovering and reporting this flaw, and Apple credits TAG with discovering CVE-2025-43529.
This indicates that both vulnerabilities are likely to have been weaponized in targeted mercenary spyware attacks, given that both vulnerabilities affect WebKit, the rendering engine also used by all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and more.
This defect has been resolved in the following versions and devices:
- iOS 26.2 and iPadOS 26.2 – iPhone 11 or later, iPad Pro 12.9 inch 3rd generation or later, iPad Pro 11 inch 1st generation or later, iPad Air 3rd generation or later, iPad 8th generation or later, iPad mini 5th generation or later
- iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS or later, iPad Pro 13 inch, iPad Pro 12.9 inch 3rd generation or later, iPad Pro 11 inch 1st generation or later, iPad Air 3rd generation or later, iPad 7th generation or later, iPad mini 5th generation or later
- macOS Tahoe 26.2 – Mac running macOS Tahoe
- TV OS 26.2 – Apple TV HD and Apple TV 4K (all models)
- Watch OS 26.2 – Apple Watch Series 6 or later
- Vision OS 26.2 – Apple Vision Pro (all models)
- Safari 26.2 – Macs running macOS Sonoma and macOS Sequoia
With these updates, Apple has identified nine zero-day vulnerabilities that were exploited in the wild in 2025: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, CVE-2025-43300.
