dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild

info@thehackernews.com (The Hacker News)
December 13, 2025
Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week. The vulnerabilities are listed below – CVE-2025-43529 (CVSS score: N/A) – A use-after-free vulnerability in WebKit
Total
0
Shares
0
0
0
[[{“value”:”

Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week.

The vulnerabilities are listed below –

  • CVE-2025-43529 (CVSS score: N/A) – A use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content
  • CVE-2025-14174 (CVSS score: 8.8) – A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content

Apple said it’s aware that the shortcomings “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

It’s worth noting that CVE-2025-14174 is the same vulnerability that Google issued patches for in its Chrome browser on December 10, 2025. It’s been described by the tech giant as an out-of-bounds memory access in the company’s open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically in its Metal renderer.

Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) have been credited with discovering and reporting the flaw, while Apple credited TAG with finding CVE-2025-43529.

Cybersecurity

This indicates that the vulnerabilities were likely weaponized in highly-targeted mercenary spyware attacks, given that they both affect WebKit, the rendering engine that’s also used in all third-party web browsers on iOS and iPadOS, including Chrome, Microsoft Edge, Mozilla Firefox, and others.

The flaws have been addressed in the following versions and devices –

  • iOS 26.2 and iPadOS 26.2 – iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
  • iOS 18.7.3 and iPadOS 18.7.3 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
  • macOS Tahoe 26.2 – Macs running macOS Tahoe
  • tvOS 26.2 – Apple TV HD and Apple TV 4K (all models)
  • watchOS 26.2 – Apple Watch Series 6 and later
  • visionOS 26.2 – Apple Vision Pro (all models)
  • Safari 26.2 – Macs running macOS Sonoma and macOS Sequoia

With these updates, Apple has now patched nine zero-day vulnerabilities that were exploited in the wild in 2025, including CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Hamas-affiliated APT targeting government agencies in the Middle East, Morocco

December 12, 2025
Next Post

CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks

December 13, 2025
Related Posts
5 min

“Getting to Yes”: An Anti-Sales Guide for MSPs

Most MSPs and MSSPs know how to deliver effective security. The challenge is helping prospects understand why it matters in business terms. Too often, sales conversations stall because prospects are overwhelmed, skeptical, or tired of fear-based messaging. That’s why we created ”Getting to Yes”: An Anti-Sales Guide for MSPs. This guide helps service providers transform resistance into trust and
info@thehackernews.com (The Hacker News)
December 5, 2025
Read More
3 min

India Orders Phone Makers to Pre-Install Government App to Tackle Telecom Fraud

India's telecommunications ministry has ordered major mobile device manufacturers to preload a government-backed cybersecurity app named Sanchar Saathi on all new phones within 90 days. According to a report from Reuters, the app cannot be deleted or disabled from users' devices. Sanchar Saathi, available on the web and via mobile apps for Android and iOS, allows users to report suspected fraud,
info@thehackernews.com (The Hacker News)
December 1, 2025
Read More
3 min

Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails

A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. The zero-click Google Drive Wiper technique hinges on connecting the browser to services like Gmail and Google Drive to automate routine tasks by granting them
info@thehackernews.com (The Hacker News)
December 5, 2025
Read More