CybersecurityTech

Apple Releases Emergency Security Updates After Active WebKit Exploits

admin

Apple has rolled out a series of security updates across its entire ecosystem after confirming that two serious WebKit vulnerabilities were actively exploited in real-world attacks. The fixes apply to iOS, iPadOS, macOS, Safari, and other Apple platforms.

According to Apple, the flaws were abused in “highly sophisticated attacks” targeting a small number of individuals running older versions of iOS. One of the vulnerabilities had already been addressed earlier this week by Google in its Chrome browser, highlighting the cross-platform risk posed by shared components.

The security issues affect WebKit, Apple’s web rendering engine that powers Safari and all third-party browsers on iOS and iPadOS, including Chrome, Firefox, and Microsoft Edge.

Details of the Vulnerabilities

Apple addressed the following flaws:

  • CVE-2025-43529 – A use-after-free bug that could allow attackers to execute arbitrary code when malicious web content is processed.
  • CVE-2025-14174 – A high-severity memory corruption issue that could be triggered by specially crafted web content.

Apple confirmed that the vulnerabilities may have been weaponized in targeted attacks before the patches were released.

Notably, CVE-2025-14174 matches the same flaw Google fixed in Chrome on December 10, 2025. Google described it as an out-of-bounds memory access in the open-source ANGLE graphics library, specifically affecting the Metal renderer.

Apple credited its Security Engineering and Architecture (SEAR) team along with Google’s Threat Analysis Group (TAG) for discovering and reporting the issues.

A Sign of Targeted Spyware Campaigns

Security experts suggest the nature of these vulnerabilities indicates they were likely used in targeted surveillance or mercenary spyware operations, rather than mass exploitation. WebKit’s central role across Apple devices makes it an especially valuable target for attackers seeking deep system access.

Devices and Software Versions Affected

The vulnerabilities have been fixed in the following updates:

  • iOS 26.2 / iPadOS 26.2 – iPhone 11 and newer, recent iPad Pro, Air, standard, and mini models
  • iOS 18.7.3 / iPadOS 18.7.3 – iPhone XS and later, supported iPads
  • macOS Tahoe 26.2 – All Macs running macOS Tahoe
  • tvOS 26.2 – Apple TV HD and all Apple TV 4K models
  • watchOS 26.2 – Apple Watch Series 6 and later
  • visionOS 26.2 – Apple Vision Pro
  • Safari 26.2 – macOS Sonoma and macOS Sequoia

With these fixes, Apple has now patched nine zero-day vulnerabilities exploited in the wild in 2025, underscoring the increasing sophistication of modern cyberattacks.

Apple strongly recommends users update their devices immediately to reduce security risks.