Apple patches two WebKit zero-day flaws actively exploited in sophisticated attacks targeting specific iPhone users running iOS versions prior to 26.
The iOS 26.2 and iPadOS 26.2 updates, released December 12, 2025, address CVE-2025-43529 and CVE-2025-14174 in WebKit. CVE-2025-43529 involves a use-after-free vulnerability enabling arbitrary code execution via malicious web content, discovered by Google Threat Analysis Group.
CVE-2025-14174 is a related memory corruption issue, credited to Apple and Google TAG, with both flaws linked to targeted spyware campaigns.
| CVE ID | Component | Impact | Description | Researcher(s) |
|---|---|---|---|---|
| CVE-2025-43529 | WebKit | Arbitrary code execution | Use-after-free, improved memory management | Google Threat Analysis Group |
| CVE-2025-14174 | WebKit | Memory corruption | Improved validation | Apple & Google TAG |
These flaws affect iPhone 11 and later models, plus specified iPad Pro, Air, and mini variants.
Other Critical Fixes
Apple resolved over 30 vulnerabilities across components like Kernel, Foundation, Screen Time, and curl. Notable issues include a Kernel integer overflow (CVE-2025-46285) allowing root privilege escalation, discovered by Alibaba Group researchers, and multiple Screen Time logging flaws exposing Safari history or user data (CVE-2025-46277, CVE-2025-43538).
WebKit saw additional patches for type confusion, buffer overflows, and crashes (e.g., CVE-2025-43541, CVE-2025-43501). Open-source flaws in libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086) were also addressed.
| Component | CVE ID | Impact | Key Researcher |
|---|---|---|---|
| Kernel | CVE-2025-46285 | Root privileges | Kaitao Xie, Xiaolong Bai |
| Screen Time | CVE-2025-46277 | Access Safari history | Kirin (@Pwnrin) |
| Messages | CVE-2025-46276 | Access sensitive data | Rosyna Keller |
Affected Devices and Mitigation
Impacts span iPhone 11+, iPad Pro 12.9-inch (3rd gen+), iPad Pro 11-inch (1st gen+), iPad Air (3rd gen+), iPad (8th gen+), and iPad mini (5th gen+).
Users should update immediately via Settings > General > Software Update to mitigate risks from these targeted exploits, consistent with patterns seen in prior spyware attacks. Apple notes no details on attackers, but collaboration with Google underscores nation-state-level threats.
| Product | Affected Versions | Patched Version | Compatible Devices |
|---|---|---|---|
| iOS | Before 26.2 (exploited pre-26) | 26.2 | iPhone 11 and later |
| iPadOS | Before 26.2 (exploited pre-26) | 26.2 | iPad Pro 12.9″ (3rd gen+), iPad Pro 11″ (1st gen+), iPad Air (3rd gen+), iPad (8th gen+), iPad mini (5th gen+) |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
