Apple Fixes Two Zero-day Flaws Exploited In 'sophisticated' Attacks

Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.

The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," reads Apple's security bulletin.

CVE-2025-43529 is a WebKit use-after-free remote code execution flaw that can be exploited by processing maliciously crafted web content. Apple says the flaw was discovered by Google’s Threat Analysis Group.

CVE-2025-14174 is a WebKit memory corruption flaw that could lead to memory corruption. Apple says the flaw was discovered by both Apple and Google’s Threat Analysis Group.

Apple has fixed the flaws in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2.

On Wednesday, Google fixed a mysterious zero-day flaw in Google Chrome, initially labeling it as “[N/A][466192044] High: Under coordination.”

However, Google has now updated the advisory to identify the bug as “CVE-2025-14174: Out-of-bounds memory access in ANGLE,” which is the same CVE fixed by Apple, indicating coordinated disclosure between the two companies.

Apple has not disclosed technical details about the attacks beyond saying they targeted individuals running versions of iOS before iOS 26.

As both flaws affect WebKit, which Google Chrome uses on iOS, the activity is consistent with highly targeted spyware attacks.

Source: BleepingComputer