Emergency Patches for Apple and Google Zero-Day Exploits in Targeted Attacks
Apple and Google released emergency security updates after discovering that zero-day vulnerabilities in their software were being actively exploited in highly targeted attacks. The campaign, attributed to nation-state actors and commercial spyware vendors, focused on high-value individuals rather than the general public. Apple addressed two critical WebKit vulnerabilities, CVE-2025-14174 and CVE-2025-43529, which were exploited in sophisticated attacks against iPhones, iPads, and Macs running iOS versions prior to 26. Google also patched a Chrome vulnerability discovered in collaboration with Apple’s security team and Google’s Threat Analysis Group, indicating a coordinated response to a broader espionage campaign.
The Apple updates, released as iOS 26.2 and iPadOS 26.2, fixed the WebKit flaws that allowed arbitrary code execution and memory corruption through malicious web content. These vulnerabilities affected iPhone 11 and later models, as well as several iPad variants. In addition to the WebKit issues, Apple resolved over 30 other vulnerabilities across various components, including the Kernel and Screen Time. Both companies withheld detailed technical information, suggesting ongoing investigations into the attacks. The rapid deployment of these patches underscores the severity and sophistication of the threat, with both Apple and Google urging users to update their devices immediately.
Timeline
Dec 12, 2025
Apple discloses broad impact and additional fixes in December security release
Alongside the zero-day fixes, Apple said the December 12 updates addressed more than 30 other vulnerabilities affecting components such as the kernel, Screen Time, curl, macOS, tvOS, watchOS, visionOS, and Safari. Affected hardware included iPhone 11 and later and multiple iPad models, prompting guidance for users and organizations to update immediately.
Dec 12, 2025
Apple releases emergency updates for two exploited WebKit zero-days
On December 12, 2025, Apple released security updates including iOS 26.2, iPadOS 26.2, and fixes across other platforms to patch CVE-2025-43529 and CVE-2025-14174. Apple said the bugs could be triggered by malicious web content and may have enabled arbitrary code execution or memory corruption on devices running versions prior to iOS 26.
Dec 12, 2025
Apple and Google identify WebKit zero-days used in targeted attacks
Apple and Google Threat Analysis Group determined that two WebKit vulnerabilities, CVE-2025-43529 and CVE-2025-14174, were being actively exploited in highly targeted, extremely sophisticated attacks against specific individuals. Reporting linked the activity to spyware-style operations associated with nation-state or commercial surveillance actors, though no attacker was publicly named.
Dec 8, 2025
Google patches Chrome zero-day later identified as CVE-2025-14174
Earlier in the week before Apple's disclosure, Google patched a Chrome zero-day in the ANGLE library's Metal renderer. The flaw was later identified as CVE-2025-14174 and was reportedly discovered jointly by Apple SEAR and Google Threat Analysis Group.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
1 more from sources like cyber security news
Related Stories
Emergency 0-Day Patches Issued by Apple and Google for Actively Exploited Vulnerabilities
Apple and Google have released emergency security updates to address zero-day vulnerabilities that were actively exploited in sophisticated attacks targeting users of their platforms. Apple issued patches across its ecosystem—including iPhones, iPads, and Macs—to fix two WebKit bugs, warning that these flaws had been abused in highly targeted attacks against specific individuals. Google, in parallel, released a Chrome Stable channel update to address multiple security flaws, including CVE-2025-14174, an out-of-bounds memory access vulnerability that was already being exploited in the wild. Both companies provided limited technical details but confirmed that the vulnerabilities were under active attack and that coordinated investigation revealed overlap in their findings, with Apple's security team and Google's Threat Analysis Group credited for discovery. Security researchers have noted that these vulnerabilities could be weaponized by commercial spyware vendors, and there is evidence suggesting that the flaws were exploited before patches were available. The urgency of the situation has led to widespread advisories urging users to update their devices immediately to mitigate the risk of compromise. The lack of detailed disclosure from both Apple and Google underscores the sensitive nature of the attacks and the ongoing threat posed by sophisticated adversaries targeting mainstream software platforms used by billions worldwide.
1 months ago
Coordinated Disclosure of Zero-Day Exploited in Chrome ANGLE and Apple WebKit
Google and Apple have both released emergency security updates to address a high-severity zero-day vulnerability, tracked as CVE-2025-14174, which was actively exploited in the wild. The flaw, an out-of-bounds memory access issue in the ANGLE graphics component, affected Google Chrome and was also present in Apple’s WebKit engine, impacting multiple Apple devices including iPhones, iPads, Macs, and other platforms. Google initially limited technical details but confirmed exploitation, prompting urgent updates for Chrome users, while Apple’s advisory highlighted that the attacks were highly sophisticated and targeted specific individuals running older iOS versions. The vulnerability was discovered by Google’s Threat Analysis Group and addressed through coordinated disclosure between Google and Apple. Apple patched the flaw across iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari, while Google updated Chrome to mitigate the risk. Both companies have withheld detailed attack information, but the exploitation pattern suggests use in targeted spyware campaigns. Users and organizations are strongly advised to update affected devices immediately to reduce exposure to ongoing attacks leveraging this zero-day.
1 months ago
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
1 months ago