Sign in Subscribe

Apple Patches Actively Exploited WebKit Bugs

Apple Patches Actively Exploited WebKit Bugs

Apple shipped emergency security patches for two zero-day vulnerabilities targeting WebKit, the browser engine that powers Safari and all iOS browsers. The company confirmed both flaws were exploited in attacks against specific individuals.

The vulnerabilities—CVE-2025-43529 (unrated) and CVE-2025-14174 (CVSS 8.8)—were used together in a single incident. Apple learned of the exploitation through reports from third-party security researchers.

CVE-2025-43529 is a use-after-free flaw in WebKit that enables remote code execution when processing malicious web content. Google's Threat Analysis Group (TAG) discovered this vulnerability.

CVE-2025-14174 involves memory corruption in WebKit. Apple's security team found this issue working alongside Google TAG.

The flaws affect iPhone 11 and newer models, iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).

Apple addressed both issues in iOS 18.2 and iPadOS 18.2, iOS 17.7.3 and iPadOS 17.7.3, macOS Sequoia 15.2, tvOS 18.2, watchOS 11.2, visionOS 2.2, and Safari 18.2.

Coordinated Disclosure

This release follows a patch Google issued last week for a Chrome zero-day that initially lacked a CVE identifier. Google later updated its security bulletin, assigning CVE-2025-14174 and describing it as an "out-of-bounds memory access in ANGLE." The shared CVE indicates coordinated patching and information disclosure between Apple and Google.

Apple provided minimal technical details about the attacks, stating only that they targeted specific individuals running iOS versions prior to 18.2. Since WebKit powers all browsers on iOS—including Chrome—the exploitation method aligns with targeted spyware campaigns.

Per Apple's security advisory, exploitation appears limited to targeted attacks. Users should install the latest updates immediately.

These patches bring Apple's 2025 zero-day count to nine. Previous fixes addressed CVE-2025-24085 (January), CVE-2025-24200 (February), CVE-2025-24201 (March), CVE-2025-31200 and CVE-2025-31201 (April), CVE-2025-43200 (June), and CVE-2025-43300 (August).