Apple has rolled out another round of security updates, and the two WebKit vulnerabilities were found actively exploited in highly targeted attacks, reminding us that the browser engine underpins far more than just Safari tabs. According to Apple’s latest security notes and coordinated research with Google’s Threat Analysis Group, the flaws have already been used against specific individuals on devices running versions of iOS before iOS 26, which is why this round of patches lands across almost the entire Apple ecosystem at once. The vulnerabilities, tracked as CVE-2025-43529 and CVE-2025-14174, reside in WebKit, the rendering engine that all browsers on iOS and iPadOS are required to use, and they can be triggered when processing malicious web content.
What Exactly Went Wrong
According to Apple’s iOS 26.2 and iPadOS 26.2 security advisory, the first bug, CVE-2025-43529, is a classic use-after-free in WebKit that can allow arbitrary code execution when the target processes a crafted web page. The second issue, CVE-2025-14174, is described as a memory corruption problem in WebKit that can also be triggered via maliciously crafted web content and has been assigned a CVSS score of 8.8. Google previously shipped a fix for the same underlying bug in Chrome on December 10, noting that it resides in the ANGLE graphics layer used by the Metal renderer, which explains why both Chrome and WebKit-based browsers ended up in the blast radius.
The company explicitly states it is aware of reports that both issues may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. That detail is backed by the credits, which list Apple Security Engineering and Architecture alongside Google’s Threat Analysis Group as the discoverers of CVE-2025-14174, with TAG also credited for CVE-2025-43529.
Where The Fixes Landed
Apple’s response has not been limited to iPhones and iPads, and that is an important signal for anyone managing mixed Apple fleets. These two WebKit vulnerabilities have been addressed in iOS 26.2 and iPadOS 26.2, in parallel with iOS 18.7.3 and iPadOS 18.7.3 lines for older devices, as well as in macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2 for Macs on Sonoma and Sequoia. With these two bugs, Apple has now reached 9 zero-day patches in 2025 known to be exploited in the wild, including earlier entries such as CVE-2025-24201 and other WebKit-related flaws.
For users and defenders alike, the practical move is boring but effective: patch quickly, assume that high-value Apple endpoints are interesting to sophisticated attackers, and treat WebKit vulnerabilities as platform-level incidents rather than niche browser bugs.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
