“`html
Apple has rectified two WebKit zero-day vulnerabilities that are being actively exploited in complex attacks aimed at certain iPhone users utilizing iOS versions before 26.
The updates for iOS 26.2 and iPadOS 26.2, which were launched on December 12, 2025, resolve CVE-2025-43529 and CVE-2025-14174 within WebKit. CVE-2025-43529 pertains to a use-after-free flaw that allows arbitrary code execution through harmful web content, identified by Google Threat Analysis Group.
CVE-2025-14174 is a corresponding memory corruption concern, attributed to Apple and Google TAG, with both vulnerabilities associated with targeted spyware operations.
| CVE ID | Component | Impact | Description | Researcher(s) |
|---|---|---|---|---|
| CVE-2025-43529 | WebKit | Arbitrary code execution | Use-after-free, enhanced memory management | Google Threat Analysis Group |
| CVE-2025-14174 | WebKit | Memory corruption | Enhanced validation | Apple & Google TAG |
These vulnerabilities impact iPhone 11 and subsequent models, alongside particular iPad Pro, Air, and mini versions.
Additional Critical Fixes
Apple addressed over 30 security issues across various components including Kernel, Foundation, Screen Time, and curl. Significant concerns involve a Kernel integer overflow (CVE-2025-46285) which permits root privilege escalation, uncovered by researchers from Alibaba Group, and a number of logging vulnerabilities in Screen Time exposing Safari history or user details (CVE-2025-46277, CVE-2025-43538).
WebKit received further patches to fix type confusion, buffer overflows, and crashes (e.g., CVE-2025-43541, CVE-2025-43501). Additionally, open-source vulnerabilities in libarchive (CVE-2025-5918) and curl (CVE-2024-7264, CVE-2025-9086) were also rectified.
| Component | CVE ID | Impact | Key Researcher |
|---|---|---|---|
| Kernel | CVE-2025-46285 | Root privileges | Kaitao Xie, Xiaolong Bai |
| Screen Time | CVE-2025-46277 | Access Safari history | Kirin (@Pwnrin) |
| Messages | CVE-2025-46276 | Access sensitive data | Rosyna Keller |
Impacted Devices and Mitigation
The impacts encompass iPhone 11+, iPad Pro 12.9-inch (3rd gen+), iPad Pro 11-inch (1st gen+), iPad Air (3rd gen+), iPad (8th gen+), and iPad mini (5th gen+).
Users are urged to update promptly via Settings > General > Software Update to lessen risks from these targeted attacks, in line with trends observed in previous spyware operations. Apple has not disclosed specifics regarding the attackers, but collaboration with Google highlights nation-state-level threats.
| Product | Affected Versions | Patched Version | Compatible Devices |
|---|---|---|---|
| iOS | Before 26.2 (exploited pre-26) | 26.2 | iPhone 11 and newer |
| iPadOS | Before 26.2 (exploited pre-26) | 26.2 | iPad Pro 12.9″ (3rd gen+), iPad Pro 11″ (1st gen+), iPad Air (3rd gen+), iPad (8th gen+), iPad mini (5th gen+) |
“`