Apple released emergency security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to patch two WebKit flaws that were actively exploited in the wild — one of which was the same vulnerability Google had patched in Chrome just days earlier.
The vulnerabilities are CVE-2025-43529 (CVSS 8.8), a use-after-free in WebKit, and CVE-2025-14174 (CVSS 8.8), a memory corruption issue — both could lead to arbitrary code execution via maliciously crafted web content. Apple said both “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”
Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group discovered and reported the flaws, indicating they were likely weaponized in mercenary spyware attacks. With these updates, Apple patched nine zero-day vulnerabilities exploited in the wild in 2025.