- Apple issued security updates on December 13, 2025, addressing two WebKit vulnerabilities exploited in the wild.
- One flaw (CVE-2025-14174) is the same as the one patched by Google in Chrome earlier that week.
- The vulnerabilities risk arbitrary code execution and memory corruption through malicious web content.
- Updates cover iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari for multiple device models.
- These fixes mark the ninth set of zero-day vulnerabilities patched by Apple in 2025 exploited in active attacks.
Apple released security patches on December 13, 2025, for its operating systems and Safari browser. These updates address two WebKit security flaws that have been exploited in live attacks, according to the company. One of these vulnerabilities matches a flaw recently fixed by Google in its Chrome browser.
The first issue, CVE-2025-43529, is a use-after-free vulnerability in WebKit, which can enable arbitrary code execution when processing malicious web content. The second, CVE-2025-14174, identified with a CVSS score of 8.8, is a memory corruption flaw that may lead to memory corruption under similar conditions. Apple noted that these weaknesses may have been abused in highly sophisticated attacks targeting specific individuals on software versions prior to iOS 26, as mentioned on their support page.
CVE-2025-14174 is associated with an out-of-bounds memory access in the open-source Almost Native Graphics Layer Engine (ANGLE) library, particularly its Metal renderer. This flaw was discovered collaboratively by Apple Security Engineering and Architecture (SEAR) and the Google Threat Analysis Group (TAG), while TAG is credited with reporting CVE-2025-43529, as outlined in related NIST details.
Both vulnerabilities affect WebKit, the core rendering engine used not only by Safari but also by third-party browsers on iOS and iPadOS, including Chrome, Microsoft Edge, and Firefox. This suggests the attacks leveraging these flaws were highly targeted, possibly involving mercenary spyware.
The issues have been resolved in the following versions and devices:
- iOS 26.2 and iPadOS 26.2 for iPhone 11 and newer, various iPad Pro models, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later.
- iOS 18.7.3 and iPadOS 18.7.3 covering iPhone XS and newer, iPad Pro models including 13-inch, 12.9-inch 3rd gen and later, 11-inch 1st gen and later, iPad Air 3rd gen and later, iPad 7th gen and later, and iPad mini 5th gen and later.
- macOS Tahoe 26.2 for Macs running that version.
- tvOS 26.2 for Apple TV HD and Apple TV 4K models.
- watchOS 26.2 for Apple Watch Series 6 and later.
- visionOS 26.2 for all Apple Vision Pro models.
- Safari 26.2 on Macs running macOS Sonoma and macOS Sequoia.
This update brings Apple‘s total count of patched zero-day vulnerabilities exploited in the wild during 2025 to nine. Prior patches addressed issues including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Crypto Groups Oppose Citadel’s SEC Push on DeFi Stock Rules
- Tether’s $1.1B Juventus Buyout Bid Rejected by Exor
- China Rejects Nvidia H200 Chips, Cites Push for Semiconductor Independence
- Tokenized Stocks May Boost Crypto as Blockchain Integration Grows
- Agnelli Family Resists Tether’s Bid for Juventus Football Club
