Coordinated Disclosure of Zero-Day Exploited in Chrome ANGLE and Apple WebKit
Google and Apple have both released emergency security updates to address a high-severity zero-day vulnerability, tracked as CVE-2025-14174, which was actively exploited in the wild. The flaw, an out-of-bounds memory access issue in the ANGLE graphics component, affected Google Chrome and was also present in Apple’s WebKit engine, impacting multiple Apple devices including iPhones, iPads, Macs, and other platforms. Google initially limited technical details but confirmed exploitation, prompting urgent updates for Chrome users, while Apple’s advisory highlighted that the attacks were highly sophisticated and targeted specific individuals running older iOS versions.
The vulnerability was discovered by Google’s Threat Analysis Group and addressed through coordinated disclosure between Google and Apple. Apple patched the flaw across iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari, while Google updated Chrome to mitigate the risk. Both companies have withheld detailed attack information, but the exploitation pattern suggests use in targeted spyware campaigns. Users and organizations are strongly advised to update affected devices immediately to reduce exposure to ongoing attacks leveraging this zero-day.
Timeline
Dec 17, 2025
Apple documents macOS Tahoe 26.2 security fixes
On 2025-12-17, Apple published security content for macOS Tahoe 26.2, formally documenting fixes for vulnerabilities addressed in its December security updates. This reflected Apple's broader rollout of patches for the exploited WebKit issues across supported product lines.
Dec 17, 2025
WebKitGTK and WPE WebKit publish advisory for related exploited flaws
On 2025-12-17, the WebKitGTK and WPE WebKit projects published security advisory WSA-2025-0010 covering multiple vulnerabilities fixed before version 2.50.4, including CVE-2025-14174 and CVE-2025-43529. The advisory linked both flaws to sophisticated attacks targeting specific individuals and recommended immediate updates.
Dec 15, 2025
CISA adds Apple WebKit zero-days to the KEV catalog
By 2025-12-15, CISA had added CVE-2025-14174 and CVE-2025-43529 to its Known Exploited Vulnerabilities catalog following Apple's advisory. The listing elevated urgency for defenders and prompted government and security agencies to push immediate patching guidance.
Dec 12, 2025
Apple issues emergency updates for two exploited WebKit zero-days
On 2025-12-12, Apple released security updates across iOS, iPadOS, macOS, Safari, and other platforms to fix CVE-2025-43529 and CVE-2025-14174. Apple said the flaws were exploited in highly sophisticated, targeted attacks against specific individuals, with discovery attributed to Google's Threat Analysis Group and Apple security teams.
Dec 10, 2025
Google releases Chrome update fixing exploited ANGLE zero-day
On 2025-12-10, Google released Chrome 143.0.7499.109 or later to fix three vulnerabilities, including an actively exploited high-severity zero-day in the ANGLE graphics component's Metal renderer. Google limited technical details because the flaw was being exploited in the wild, and noted that other Chromium-based browsers could also be affected until patched.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like help net security, cyberthrone, cyber security news, socradar blog and bleeping computer
Related Stories
Emergency 0-Day Patches Issued by Apple and Google for Actively Exploited Vulnerabilities
Apple and Google have released emergency security updates to address zero-day vulnerabilities that were actively exploited in sophisticated attacks targeting users of their platforms. Apple issued patches across its ecosystem—including iPhones, iPads, and Macs—to fix two WebKit bugs, warning that these flaws had been abused in highly targeted attacks against specific individuals. Google, in parallel, released a Chrome Stable channel update to address multiple security flaws, including CVE-2025-14174, an out-of-bounds memory access vulnerability that was already being exploited in the wild. Both companies provided limited technical details but confirmed that the vulnerabilities were under active attack and that coordinated investigation revealed overlap in their findings, with Apple's security team and Google's Threat Analysis Group credited for discovery. Security researchers have noted that these vulnerabilities could be weaponized by commercial spyware vendors, and there is evidence suggesting that the flaws were exploited before patches were available. The urgency of the situation has led to widespread advisories urging users to update their devices immediately to mitigate the risk of compromise. The lack of detailed disclosure from both Apple and Google underscores the sensitive nature of the attacks and the ongoing threat posed by sophisticated adversaries targeting mainstream software platforms used by billions worldwide.
1 months ago
Emergency Patches for Apple and Google Zero-Day Exploits in Targeted Attacks
Apple and Google released emergency security updates after discovering that zero-day vulnerabilities in their software were being actively exploited in highly targeted attacks. The campaign, attributed to nation-state actors and commercial spyware vendors, focused on high-value individuals rather than the general public. Apple addressed two critical WebKit vulnerabilities, CVE-2025-14174 and CVE-2025-43529, which were exploited in sophisticated attacks against iPhones, iPads, and Macs running iOS versions prior to 26. Google also patched a Chrome vulnerability discovered in collaboration with Apple’s security team and Google’s Threat Analysis Group, indicating a coordinated response to a broader espionage campaign. The Apple updates, released as iOS 26.2 and iPadOS 26.2, fixed the WebKit flaws that allowed arbitrary code execution and memory corruption through malicious web content. These vulnerabilities affected iPhone 11 and later models, as well as several iPad variants. In addition to the WebKit issues, Apple resolved over 30 other vulnerabilities across various components, including the Kernel and Screen Time. Both companies withheld detailed technical information, suggesting ongoing investigations into the attacks. The rapid deployment of these patches underscores the severity and sophistication of the threat, with both Apple and Google urging users to update their devices immediately.
1 months ago
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
1 months ago