Apple Patches Two Exploited WebKit Bugs—Update Now

Apple Patches Two Exploited WebKit Bugs—Update Now
December 13, 2025 at 12:00 AM

Apple has released urgent security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to fix two WebKit zero-day vulnerabilities actively exploited in the wild. If you use any Apple device, update as soon as possible.

What was fixed

  • CVE-2025-43529 (use-after-free in WebKit): Could allow arbitrary code execution via malicious web content.
  • CVE-2025-14174 (CVSS 8.8): A WebKit memory corruption issue tied to out-of-bounds memory access in Google’s ANGLE library (Metal renderer). This is the same flaw Chrome patched on December 10, 2025.

Who found the bugs

  • Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) reported CVE-2025-14174.
  • Google TAG is also credited with CVE-2025-43529.

Why this matters

  • Apple says the flaws may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.
  • Because all iOS and iPadOS browsers must use WebKit, the risk extends to third-party browsers like Chrome, Edge, and Firefox on Apple mobile devices—consistent with highly targeted mercenary spyware activity.

Patched versions and devices

  • iOS 26.2 and iPadOS 26.2: iPhone 11 and later; iPad Pro 12.9-inch (3rd gen+) and 11-inch (1st gen+); iPad Air (3rd gen+); iPad (8th gen+); iPad mini (5th gen+)
  • iOS 18.7.3 and iPadOS 18.7.3: iPhone XS and later; iPad Pro 13-inch; iPad Pro 12.9-inch (3rd gen+); iPad Pro 11-inch (1st gen+); iPad Air (3rd gen+); iPad (7th gen+); iPad mini (5th gen+)
  • macOS Tahoe 26.2: Macs running macOS Tahoe
  • tvOS 26.2: Apple TV HD and Apple TV 4K (all models)
  • watchOS 26.2: Apple Watch Series 6 and later
  • visionOS 26.2: Apple Vision Pro (all models)
  • Safari 26.2: Macs running macOS Sonoma and macOS Sequoia

What to do now

  • iPhone/iPad: Settings > General > Software Update, then install and restart.
  • Mac: System Settings > General > Software Update (also update Safari if listed separately).
  • Apple Watch: Watch app on iPhone > General > Software Update.
  • Apple TV: Settings > System > Software Updates.
  • Vision Pro: Settings > General > Software Update.

Additional context

  • CVE-2025-14174 overlaps with Chrome’s fix in ANGLE (Metal renderer), underscoring cross-ecosystem exposure.
  • With these releases, Apple has addressed nine in-the-wild zero-days in 2025: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, CVE-2025-43300, CVE-2025-43529, and CVE-2025-14174.

Bottom line: Update immediately to reduce the risk of compromise via malicious web content, especially if you use third-party browsers on iOS/iPadOS.

Source: The Hacker News

Back…