Apple says it fixed zero-day flaws used for 'sophisticated' attacks

News
By published

Two bugs in WebKit have been fixed

A person holding an iPhone running iOS 26.
(Image credit: Apple)
  • Apple patches two WebKit zero‑days (CVE‑2025‑43529 and CVE‑2025‑14174) used in a highly targeted attack
  • Flaws were jointly uncovered by Google TAG and Apple, with Chrome receiving a parallel fix
  • Updates span iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari, with users urged to patch quickly

Apple fixed two zero-day vulnerabilities exploited in an “extremely sophisticated attack” which, all things considered, could have been a cyber-espionage attack against one, or a handful of, high-profile individuals.

In a new security advisory, Apple said it deployed a patch for a use-after-free remote code execution (RCE) vulnerability in WebKit, as well as a WebKit memory corruption flaw.

WebKit is Apple’s browser engine responsible for rendering web pages. It powers Safari on macOS, iOS, and iPadOS, and is used by all browsers on iPhone and iPad.

Fixes deployed

The two bugs are now tracked as CVE-2025-43529, and CVE-2025-14174.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," Apple's security bulletin says.

What’s interesting is that both bugs were discovered by Google's Threat Analysis Group (TAG) (Apple also credited itself for the second flaw) - Google’s specialized cybersecurity arm which tracks and monitors primarily state-sponsored threat actors.

It’s also curious that at the same time, Google fixed the bug with the same identifier - CVE-2025-14174 - in Chrome. This suggests the two companies worked together to mitigate the risk, which is not surprising, but also not that common, and could indicate that the exploit was quite severe.

The devices impacted by these flaws include iPhone 11 and later, iPad Pro 12-9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), and iPad mini (5th generation and later).

It was fixed in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.

While the chances of ordinary people being targeted through these flaws are somewhat slim, both companies still suggest everyone apply the fix as soon as possible.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.