Apple Fixes Actively Exploited WebKit Zero-Day Flaws Across iOS and macOS

Apple has released critical security updates for its entire ecosystem after confirming that two serious WebKit vulnerabilities were actively exploited in the wild. The updates apply to iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and the Safari browser, highlighting the wide impact of these flaws.

According to Apple, at least one of these vulnerabilities was used in highly sophisticated attacks targeting specific individuals, making this update especially important for users concerned about privacy, surveillance, and advanced cyber threats.

The two vulnerabilities affect WebKit, Apple’s browser engine that powers Safari and is also mandatory for all third-party browsers on iOS and iPadOS, including Google Chrome, Microsoft Edge, and Mozilla Firefox. This means the flaws could be triggered simply by visiting a malicious website.

The vulnerabilities are:

CVE-2025-43529

• Type: Use-after-free vulnerability

• Impact: May allow arbitrary code execution

• Trigger: Processing maliciously crafted web content

A use-after-free bug happens when a program continues to use memory that has already been freed. Attackers can exploit this to run their own code on the device, potentially gaining control.

CVE-2025-14174 (CVSS Score: 8.8)

• Type: Memory corruption / out-of-bounds access

• Impact: May cause memory corruption

• Trigger: Processing malicious web content

This second flaw is particularly notable because it is the same vulnerability Google patched in Chrome on December 10, 2025. Google described it as an out-of-bounds memory access issue in the ANGLE (Almost Native Graphics Layer Engine) library, specifically within its Metal renderer.

Apple confirmed that it is aware these flaws “may have been exploited in an extremely sophisticated attack against specific targeted individuals”, especially on older iOS versions before iOS 26.

The language used by Apple strongly suggests the involvement of mercenary spyware or nation-state-level threat actors. These types of attacks are typically seen in campaigns targeting journalists, activists, political figures, diplomats, and senior executives.

Adding weight to this assessment, both vulnerabilities were discovered with help from Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG), a team well known for tracking advanced persistent threats (APTs) and spyware operations worldwide.

WebKit vulnerabilities are particularly dangerous because:

• WebKit is used by Safari on all Apple platforms

• Apple requires all iOS and iPadOS browsers to use WebKit internally

• Exploitation can happen via malicious websites, with no app installation needed

• These flaws are often used as zero-click or one-click exploits in spyware attacks

In simple terms, a user may only need to open a web page for the attack to succeed.

The vulnerabilities across a wide range of devices and operating systems:

iOS and iPadOS

• iOS 26.2 / iPadOS 26.2
  Supported on iPhone 11 and later, and newer iPad models

• iOS 18.7.3 / iPadOS 18.7.3
  Supported on iPhone XS and later, and compatible iPads

macOS

• macOS Tahoe 26.2 – All Macs running macOS Tahoe

Safari

• Safari 26.2 – For Macs running macOS Sonoma and macOS Sequoia

Other Apple Platforms

• tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)

• watchOS 26.2 – Apple Watch Series 6 and later

• visionOS 26.2 – Apple Vision Pro (all models)

Apple strongly recommends updating all eligible devices immediately.