Apple has released security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to fix two zero-day vulnerabilities in WebKit, the engine behind Safari and all third-party browsers on Apple devices. Both flaws have reportedly been exploited in active attacks.
The vulnerabilities are:
1. CVE-2025-43529 – A use-after-free flaw that could let attackers run malicious code via crafted web content.
2. CVE-2025-14174 – A memory corruption issue in WebKit, the same flaw Google patched in Chrome this week, affecting the ANGLE Metal renderer.
Apple said these vulnerabilities may have been used in highly targeted attacks against specific individuals, emphasizing the serious nature of the threat.
Who’s Affected and Update Versions
1. iOS 26.2 / iPadOS 26.2 – iPhone 11+, iPad Pro 12.9" (3rd Gen+) and 11" (1st Gen+), iPad Air 3+, iPad 8+, iPad mini 5+
2. iOS 18.7.3 / iPadOS 18.7.3 – iPhone XS+, iPad Pro 13", 12.9" (3rd Gen+), 11" (1st Gen+), iPad Air 3+, iPad 7+, iPad mini 5+
3. macOS Tahoe 26.2 – All Macs running Tahoe
4. tvOS 26.2 – Apple TV HD/4K
5. watchOS 26.2 – Apple Watch Series 6+
6. visionOS 26.2 – Apple Vision Pro
7. Safari 26.2 – Macs running Sonoma and Sequoia
With these updates, Apple has addressed nine zero-day flaws exploited in the wild in 2025, including CVE-2025-24085, CVE-2025-24200, and others.
Why It Matters
All browsers that run on the iOS and iPadOS operating systems are based on WebKit. An attacker can exploit this vulnerability by having the user visit the compromised website. Therefore, it is vital that users install the newest software updates to protect their devices from potential exploitation.
Google's Threat Analysis Group (TAG) helped Apple identify the vulnerabilities associated with CVE-2025-43529 and CVE-2025-14174. The joint efforts of Google TAG and Apple SEAR demonstrated how quickly the technology companies collaborate to fix security vulnerabilities.
Source: The Hacker News
