Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, VisionOS and its Safari web browser to fix two security flaws that it said had been exploited, one of which is the same flaw that Google patched in Chrome earlier this week.
Weaknesses are listed below –
- CVE-2025-43529 (CVSS Score: N/A) – A use-after-free vulnerability in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content
- CVE-2025-14174 (CVSS Score: 8.8) – A memory corruption issue in WebKit that could cause memory corruption when processing maliciously crafted web content
Apple said it was aware that the vulnerabilities “could have been exploited in a highly sophisticated attack against specific targeted individuals on versions of iOS prior to iOS 26.”
It is worth noting that CVE-2025-14174 is the same vulnerability for which Google released a patch in its Chrome browser on December 10, 2025. This is described by the tech giant as an out-of-bounds memory access in the company’s open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically in its Metal renderer.
Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) have been credited with finding and reporting the flaw, while Apple has given TAG credit for finding CVE-2025-43529.
This indicates that the vulnerabilities were likely weaponized in highly targeted mercenary spyware attacks, given that they both affect WebKit, the rendering engine that is also used in all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.
The bugs have been fixed in the following versions and devices –
- iOS 26.2 and iPadOS 26.2 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
- iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- macOS Tahoe 26.2 – Mac running macOS Tahoe
- tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)
- watchOS 26.2 – Apple Watch Series 6 and later
- VisionOS 26.2 – Apple Vision Pro (All models)
- Safari 26.2 – Mac running macOS Sonoma and macOS Sequoia
With these updates, Apple has now fixed nine zero-day vulnerabilities that were exploited in 2025, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, is included. and CVE-2025-43300.
