Apple has shipped security fixes for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to close two WebKit vulnerabilities that have already been exploited in real-world attacks. One of the issues matches a Chrome flaw that Google patched earlier in the week.

The vulnerabilities are listed below –

• CVE-2025-43529 (CVSS score: N/A) – A use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content
• CVE-2025-14174 (CVSS score: 8.8) – A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content

Apple notes that these weaknesses “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

In particular, CVE-2025-14174 overlaps with the vulnerability that Google patched in Chrome on December 10, 2025. Google classifies it as an out-of-bounds memory access bug in the Almost Native Graphics Layer Engine (ANGLE) open-source library, in the component that implements its Metal renderer.

Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) are credited with identifying and reporting CVE-2025-14174, and Apple attributes the discovery of CVE-2025-43529 to TAG.

From an incident response standpoint, this strongly suggests the exploits were deployed in tightly scoped mercenary spyware operations, as both bugs live in WebKit, the browser engine that underpins all third-party browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.

The flaws have been addressed in the following versions and devices –

• iOS 26.2 and iPadOS 26.2 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
• iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
• macOS Tahoe 26.2 – Macs running macOS Tahoe
• tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)
• watchOS 26.2 – Apple Watch Series 6 and later
• visionOS 26.2 – Apple Vision Pro (all models)
• Safari 26.2 – Macs running macOS Sonoma and macOS Sequoia

With this round of patches, Apple has now closed nine zero-day vulnerabilities that were under active exploitation in 2025, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.