Apple has issued security updates with fixes for two WebKit vulnerabilities (CVE-2025-14174, CVE-2025-43529) that have been exploited as zero-days.
Several days before the release of these updates, Google fixed CVE-2025-14174 in the desktop version of Chrome, though at the time the issue did not have a CVE number nor a description.
In the meantime, CVE-2025-14174 was revealed to be an “out of bounds memory access [flaw] in ANGLE in Google Chrome on Mac prior to 143.0.7499.110”, which “allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.”
CVE-2025-14174 has also been fixed by Microsoft in its Chromium-based Edge browser on December 11 and added to CISA’s Known Exploited Vulnerabilities catalog on December 12.
The vulnerabilities (CVE-2025-14174, CVE-2025-43529)
CVE-2025-14174 was reported to Google by Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) on December 5.
The notes accompanying Apple’s security updates released on December 12 offer more information: CVE-2025-14174 is a memory corruption issue in WebKit, an open-source web browser engine that’s used by Safari and all browsers on iPhone and iPad, which explains the need for Chrome and Edge fixes.
“Apple is aware of a report that [CVE-2025-14174] may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report,” Apple shared.
CVE-2025-14174 may lead to memory corruption, and CVE-2025-43529 (also in WebKit) may allow arbitrary code execution. Based on the available information, they might have been exploited in tandem, triggered by the browser processing a maliciously crafted web page.
As usual, details about the attacks are withheld, though the wording points to targeted attacks delivering spyware. Nevertheless, it’s a good idea for all users to update their Apple devices as quickly as possible.
CVE-2025-14174 and CVE-2025-43529 have been fixed in:
Users of macOS Sequoia (the v15 branch) and macOS Sonoma (v14) can upgrade to the latest OS versions and update Safari to v26.2 to remediate these vulnerabilities.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!