In a significant and urgent move to protect its users, Apple has dispatched a sweeping wave of security updates across its entire hardware and software lineup, encompassing everything from the iPhone and Mac to the Apple Watch and the recently launched Vision Pro. This is not a routine maintenance release but a critical response to the discovery of two major security flaws that are already being actively used by attackers in the wild. The vulnerabilities reside within WebKit, the foundational browser engine that powers Safari and all other web browsers on iOS and iPadOS, creating a widespread and serious risk. The company has confirmed that these exploits were likely leveraged in highly sophisticated campaigns, signaling a direct threat from well-resourced adversaries. This situation highlights a persistent challenge for the tech giant and serves as a stark reminder for users that timely software updates are the first and most crucial line of defense against an evolving landscape of digital threats. The swift and comprehensive nature of the patch deployment underscores the severity with which Apple views this particular security breach.
The Anatomy of the Exploits
At the heart of this security alert are two distinct yet equally dangerous vulnerabilities, both of which could allow an attacker to execute arbitrary code simply by tricking a user into visiting a maliciously crafted webpage. The first flaw, tracked as CVE-2025-43529, is classified as a use-after-free vulnerability. This type of memory corruption error occurs when a program tries to access a portion of memory after it has already been freed, creating an opening that skilled attackers can manipulate to run their own unauthorized software on the device. The second, identified as CVE-2025-14174, is another memory corruption issue that carries a high-severity CVSS score of 8.8 out of 10. Further investigation revealed that this particular out-of-bounds memory access flaw is the very same one recently addressed by Google in its Chrome browser. The common link is the ANGLE graphics engine library, a component used to translate OpenGL calls to Direct3D, demonstrating how a single flaw in a shared library can have a cascading impact across different ecosystems. The discovery and subsequent reporting of these issues were the result of a collaborative effort between Apple’s own Security Engineering and Architecture (SEAR) team and Google’s prestigious Threat Analysis Group (TAG).
A Pattern of Targeted Attacks
The way these vulnerabilities were exploited provided critical insight into the nature of the threat, as Apple acknowledged its awareness that the flaws “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” This specific language strongly suggested the involvement of mercenary spyware, a type of malicious software developed by private companies and sold to government agencies or other entities to conduct targeted surveillance on high-profile individuals such as journalists, activists, and political dissidents. Because WebKit is the mandatory rendering engine for all web browsers on iOS and iPadOS, including popular alternatives like Chrome and Firefox, the vulnerabilities posed a universal risk to all iPhone and iPad users, regardless of their preferred browser. In response, Apple’s patches were rolled out in iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2, with older devices receiving fixes in iOS 18.7.3 and iPadOS 18.7.3. The resolution of these two flaws brought the total number of zero-day vulnerabilities patched by Apple in 2025 to nine, a figure that underscored the persistent and increasingly sophisticated efforts by attackers to compromise one of the world’s most popular technology platforms.
