Apple has released macOS and iOS updates to patch dozens of vulnerabilities, including two zero-days that the tech giant says have been exploited in highly targeted attacks.
According to Apple’s advisories, the zero-days impact WebKit, the browser engine present in Safari, iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
One of the zero-days, CVE-2025-14174, has been described as a memory corruption issue, while the second, CVE-2025-43529, is a use-after-free bug. They can both be exploited using maliciously crafted web content to execute arbitrary code.
Apple announced patches for CVE-2025-14174 and CVE-2025-43529 with the release of iOS and iPadOS 26.2, iOS and iPadOS 18.7.3, macOS Tahoe 26.2, Safari 26.2 for macOS, tvOS 26.2, watchOS 26.2, and visionOS 26.2.
However, Apple’s advisories clarify that the vulnerabilities have been exploited in “an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26”.
The tech giant said the vulnerabilities were discovered by its own security team and Google’s Threat Analysis Group.
This, along with the brief description of the attacks, indicates that the zero-days have likely been exploited by commercial spyware vendors, which are known to target Android, iOS, macOS, Chrome, and WhatsApp.
CVE-2025-14174 is the mysterious Chrome zero-day
Google last week announced patches for a mysterious Chrome zero-day. The company said it had seen an exploit in the wild, but the flaw initially did not have a CVE identifier or any description, other than a ‘high severity’ rating.
Google has now updated its original advisory to clarify that the previously unidentified zero-day is CVE-2025-14174.
The company says the security hole is an out-of-bounds memory access issue in the Angle graphics library. Because Angle is used by both Chrome’s Blink browser engine and WebKit, the zero-day impacts both Google and Apple products.
It appears Google and Apple have been coordinating the disclosure and patching of the vulnerability. According to Google’s advisory, the issue came to light on December 5.
Google has not shared any information on attacks targeting Chrome users.
It’s also worth noting that the Angle library is used by Chromium, and other Chromium-based browsers such as Edge, Opera, Vivaldi, and Brave are impacted as well.
Microsoft has already updated Edge to address CVE-2025-14174. Vivaldi has also been updated to patch the zero-day.
CISA has added CVE-2025-14174 to its Known Exploited Vulnerabilities (KEV) catalog.
Related: Apple Patches Zero-Day Exploited in Targeted Attacks
Related: CISA Warns of Spyware Targeting Messaging App Users
Related: Landfall Android Spyware Targeted Samsung Phones via Zero-Day
