Apple Releases Crucial Security Updates to Address Exploited Vulnerabilities
On December 13, 2025, Apple took significant action to enhance the security of its devices by rolling out updates across multiple platforms, including iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and the Safari web browser. This update specifically targets two notable security flaws that have reportedly been exploited in the wild, ensuring users are better protected against advanced threats.
Overview of Vulnerabilities
Apple’s latest security update addresses two serious vulnerabilities in WebKit, the underlying engine powering the Safari browser and other web applications. The details of these vulnerabilities include:
-
CVE-2025-43529: This is a use-after-free vulnerability that could potentially allow arbitrary code execution when processing malicious web content.
-
CVE-2025-14174: Rated with a CVSS score of 8.8, this is a memory corruption issue in WebKit that may also lead to memory corruption through maliciously crafted web content.
Apple has confirmed awareness of these vulnerabilities being exploited in sophisticated attacks targeting specific individuals on versions of iOS prior to the release of iOS 26.
Shared Vulnerability with Google Chrome
Interestingly, CVE-2025-14174 is the same vulnerability for which Google released patches in its Chrome browser just days earlier on December 10, 2025. Google described this issue as an out-of-bounds memory access within its Almost Native Graphics Layer Engine (ANGLE), specifically affecting the Metal renderer. This highlights a growing concern for users, as vulnerabilities affecting WebKit can impact multiple browsers due to its widespread use across various platforms.
Collaborative Discovery Efforts
The identification and reporting of these vulnerabilities underscore the collaborative efforts in cybersecurity. Both Apple’s Security Engineering and Architecture (SEAR) team and the Google Threat Analysis Group (TAG) played crucial roles in discovering and reporting the flaws, illustrating the interconnected efforts of major tech companies to enhance consumer security.
Likely Targeted Exploitation
Given the nature of these vulnerabilities, there is a high likelihood that they have been leveraged in targeted mercenary spyware attacks. Their exploitation poses a significant risk to users, particularly because WebKit is utilized in various browsers on iOS and iPadOS, including Google Chrome, Microsoft Edge, and Mozilla Firefox, which widens the scope for potential attacks.
Details of the Update
The security flaws have been addressed in the following software versions:
- iOS 26.2 and iPadOS 26.2: For devices such as iPhone 11 and newer, and iPad Pro models.
- iOS 18.7.3 and iPadOS 18.7.3: Applicable to iPhone XS and newer, and specific iPad models.
- macOS Tahoe 26.2: For Macs running this version of the macOS.
- tvOS 26.2: For all models of Apple TV HD and Apple TV 4K.
- watchOS 26.2: Affects Apple Watch Series 6 and later models.
- visionOS 26.2: For all variants of Apple Vision Pro.
- Safari 26.2: Targets Macs operating on macOS Sonoma and macOS Sequoia.
Patching Zero-Day Vulnerabilities
With this latest round of updates, Apple has successfully patched nine zero-day vulnerabilities exploited in 2025. This proactive approach demonstrates the company’s commitment to security and user safety, which is crucial in a landscape where cyber threats continue to evolve. Notable vulnerabilities patched this year include CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, and several others that were addressed in previous updates.
By continuously providing updates and addressing critical vulnerabilities, Apple aims to fortify its systems against increasingly sophisticated cyber attacks, making it essential for all users to install the latest updates to ensure enhanced security for their devices.
