Apple patches two WebKit zero-day flaws actively exploited in refined assaults concentrating on particular iPhone customers operating iOS variations previous to 26.
The iOS 26.2 and iPadOS 26.2 updates, launched December 12, 2025, handle CVE-2025-43529 and CVE-2025-14174 in WebKit. CVE-2025-43529 includes a use-after-free vulnerability enabling arbitrary code execution through malicious net content material, found by Google Menace Evaluation Group.
CVE-2025-14174 is a associated reminiscence corruption subject, credited to Apple and Google TAG, with each flaws linked to focused spyware and adware campaigns.
CVE IDComponentImpactDescriptionResearcher(s)CVE-2025-43529WebKitArbitrary code executionUse-after-free, improved reminiscence managementGoogle Menace Evaluation Group CVE-2025-14174WebKitMemory corruptionImproved validationApple & Google TAG
These flaws have an effect on iPhone 11 and later fashions, plus specified iPad Professional, Air, and mini variants.
Different Essential Fixes
Apple resolved over 30 vulnerabilities throughout elements like Kernel, Basis, Display Time, and curl. Notable points embrace a Kernel integer overflow (CVE-2025-46285) permitting root privilege escalation, found by Alibaba Group researchers, and a number of Display Time logging flaws exposing Safari historical past or consumer information (CVE-2025-46277, CVE-2025-43538).
WebKit noticed further patches for sort confusion, buffer overflows, and crashes (e.g., CVE-2025-43541, CVE-2025-43501). Open-source flaws in libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086) had been additionally addressed.
ComponentCVE IDImpactKey ResearcherKernelCVE-2025-46285Root privilegesKaitao Xie, Xiaolong Bai Display TimeCVE-2025-46277Access Safari historyKirin (@Pwnrin)MessagesCVE-2025-46276Access delicate dataRosyna Keller
Affected Units and Mitigation
Impacts span iPhone 11+, iPad Professional 12.9-inch (third gen+), iPad Professional 11-inch (1st gen+), iPad Air (third gen+), iPad (eighth gen+), and iPad mini (fifth gen+).
Customers ought to replace instantly through Settings > Basic > Software program Replace to mitigate dangers from these focused exploits, per patterns seen in prior spyware and adware assaults. Apple notes no particulars on attackers, however collaboration with Google underscores nation-state-level threats.
ProductAffected VersionsPatched VersionCompatible DevicesiOSBefore 26.2 (exploited pre-26)26.2iPhone 11 and lateriPadOSBefore 26.2 (exploited pre-26)26.2iPad Professional 12.9″ (third gen+), iPad Professional 11″ (1st gen+), iPad Air (third gen+), iPad (eighth gen+), iPad mini (fifth gen+)
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
