Apple has launched macOS and iOS updates to patch dozens of vulnerabilities, together with two zero-days that the tech large says have been exploited in extremely focused assaults.
In response to Apple’s advisories, the zero-days influence WebKit, the browser engine current in Safari, iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
One of many zero-days, CVE-2025-14174, has been described as a reminiscence corruption challenge, whereas the second, CVE-2025-43529, is a use-after-free bug. They will each be exploited utilizing maliciously crafted internet content material to execute arbitrary code.
Apple introduced patches for CVE-2025-14174 and CVE-2025-43529 with the discharge of iOS and iPadOS 26.2, iOS and iPadOS 18.7.3, macOS Tahoe 26.2, Safari 26.2 for macOS, tvOS 26.2, watchOS 26.2, and visionOS 26.2.
Nonetheless, Apple’s advisories make clear that the vulnerabilities have been exploited in “a particularly subtle assault in opposition to particular focused people on variations of iOS earlier than iOS 26”.
The tech large stated the vulnerabilities have been found by its personal safety group and Google’s Menace Evaluation Group.
This, together with the temporary description of the assaults, signifies that the zero-days have seemingly been exploited by industrial adware distributors, that are recognized to focus on Android, iOS, macOS, Chrome, and WhatsApp.
CVE-2025-14174 is the mysterious Chrome zero-day
Google final week introduced patches for a mysterious Chrome zero-day. The corporate stated it had seen an exploit within the wild, however the flaw initially didn’t have a CVE identifier or any description, apart from a ‘excessive severity’ ranking.Commercial. Scroll to proceed studying.
Google has now up to date its authentic advisory to make clear that the beforehand unidentified zero-day is CVE-2025-14174.
The corporate says the safety gap is an out-of-bounds reminiscence entry challenge within the Angle graphics library. As a result of Angle is utilized by each Chrome’s Blink browser engine and WebKit, the zero-day impacts each Google and Apple merchandise.
It seems Google and Apple have been coordinating the disclosure and patching of the vulnerability. In response to Google’s advisory, the problem got here to gentle on December 5.
Google has not shared any data on assaults focusing on Chrome customers.
It’s additionally value noting that the Angle library is utilized by Chromium, and different Chromium-based browsers corresponding to Edge, Opera, Vivaldi, and Courageous are impacted as properly.
Microsoft has already up to date Edge to deal with CVE-2025-14174. Vivaldi has additionally been up to date to patch the zero-day.
CISA has added CVE-2025-14174 to its Recognized Exploited Vulnerabilities (KEV) catalog.
Associated: Apple Patches Zero-Day Exploited in Focused Assaults
Associated: CISA Warns of Spyware and adware Concentrating on Messaging App Customers
Associated: Landfall Android Spyware and adware Focused Samsung Telephones by way of Zero-Day
