Apple has released a series of unscheduled security updates to address two zero‑day vulnerabilities in the WebKit browser engine. According to the company, both flaws were already being used in a highly sophisticated targeted attack against a limited set of users, which makes installing the patches a priority for anyone using Apple devices.
Technical details of CVE-2025-43529 and CVE-2025-14174 in WebKit
The first issue, CVE-2025-43529, is a use‑after‑free vulnerability in WebKit. This class of bug appears when software continues to access a block of memory after it has been released. If an attacker can trigger such a condition via specially crafted web content, they may achieve remote arbitrary code execution in the context of the browser. A final CVSS score has not yet been published. The flaw was discovered by researchers from Google Threat Analysis Group (TAG), which focuses on tracking advanced, targeted operations and zero‑day exploitation.
The second vulnerability, CVE-2025-14174, also affects WebKit and is described as a memory corruption issue. Memory corruption often enables bypassing sandboxing or other isolation mechanisms and can lead to arbitrary code execution in the browser or a privileged system process. This vulnerability has been assigned a CVSS base score of 8.8 (High). It was identified jointly by Apple’s internal security teams and Google TAG.
Why WebKit vulnerabilities are so dangerous for iOS and macOS users
WebKit is the core rendering engine behind Safari, in‑app web views and, due to Apple’s platform policy, all third‑party browsers on iOS and iPadOS. This creates a “single point of failure”: a successful exploit against WebKit can immediately impact hundreds of millions of devices. For attackers, such monoculture makes browser engines one of the most attractive and cost‑effective targets in the mobile ecosystem.
Affected Apple platforms and released security updates
Both zero‑day vulnerabilities impact any Apple product that processes web content via WebKit, including iPhone, iPad, Mac, Apple Watch, Apple TV and the Vision Pro headset. Apple has shipped fixes in the following releases:
iOS 26.2 and iPadOS 26.2, as well as iOS 18.7.3 and iPadOS 18.7.3 for devices that remain on the older branch; macOS Tahoe 26.2; tvOS 26.2; watchOS 26.2; visionOS 26.2; and Safari 26.2 for desktop systems. Apple explicitly notes that exploitation has been observed in the wild, which significantly raises the urgency of applying these patches.
From a defensive standpoint, delaying updates in such scenarios increases exposure not only to the known exploit chains, but also to copycat attacks once technical details inevitably start circulating in the security research and criminal communities.
Coordination with Google and the link to a Chrome/ANGLE zero‑day
An important detail is the reuse of the identifier CVE-2025-14174 across both Apple and Google advisories. In the previous week, Google released an update for Chrome to fix a previously undisclosed zero‑day, later described as an “out‑of‑bounds memory access in ANGLE” – the graphics abstraction layer used by Chrome.
The shared CVE strongly suggests a coordinated, cross‑vendor disclosure and patching effort. This model has become standard for actively exploited vulnerabilities: when exploitation is confirmed, browser and OS vendors synchronize releases to shorten the window of opportunity for attackers who rely on the same bug across multiple platforms.
WebKit, iOS and the attractiveness of browser zero‑days for spyware campaigns
Apple states that the current WebKit zero‑days were used in an “extremely sophisticated targeted attack” against users running versions of iOS up to 26. The described pattern matches known spyware infection chains: initial compromise via a malicious web page or link, remote code execution in the browser, followed by privilege escalation and persistence on the device.
Public reports from teams such as Google Project Zero and Microsoft Threat Intelligence show that the number of detected zero‑day vulnerabilities in widely used platforms now routinely reaches several dozen per year. Commercial exploit vendors and state‑sponsored buyers sustain a market in which reliable browser‑based exploits for iOS or Android can be worth millions of dollars. In this context, a widely deployed engine like WebKit remains one of the highest‑value targets for surveillance operations.
Nine Apple zero‑days in 2025: signal of risk and of better detection
With these latest patches, Apple has already addressed nine zero‑day vulnerabilities in 2025 that were confirmed as exploited in real‑world attacks. Earlier fixes included CVE-2025-24085 in January, CVE-2025-24200 in February, CVE-2025-24201 in March, a double release for CVE-2025-31200 and CVE-2025-31201 in April, CVE-2025-43200 in June, and CVE-2025-43300 in August.
An increasing count of publicly acknowledged zero‑days does not automatically mean Apple’s platforms are becoming less secure. It often reflects stronger detection capabilities, closer cooperation with external researchers and greater transparency. For organizations and end users, however, the takeaway is clear: the cost of postponing OS and browser updates is rising steadily.
To reduce exposure, Apple device owners should install the latest versions of iOS, iPadOS, macOS, watchOS, tvOS, visionOS and Safari without delay, enable automatic updates and regularly verify that security patches are applied. Enterprises should enforce patch compliance via MDM solutions, limit access to sensitive data from outdated devices and monitor browser‑related network activity for anomalies. Prompt, ecosystem‑wide responses to zero‑day exploitation make it significantly harder for attackers to maintain reliable chains of compromise – and are now an essential element of modern cyber resilience.
