Apple Patches WebKit Zero-Days Linked to Spyware Attacks on Targeted Individuals

Apple released emergency security updates on December 12 after confirming that two WebKit vulnerabilities were being exploited in what the company described as "extremely sophisticated" attacks against specific individuals. The flaws, tracked as CVE-2025-14174 and CVE-2025-43529, affect every Apple device capable of rendering web content.

TL;DR

• What happened: Two WebKit zero-days were exploited in targeted attacks before Apple patched them on December 12
• Who's affected: All Apple devices running iOS, iPadOS, macOS, watchOS, tvOS, or visionOS prior to the December updates
• Severity: High (CVSS 8.8) - Memory corruption enabling arbitrary code execution via malicious web content
• Action required: Update all Apple devices immediately; these are the 8th and 9th zero-days Apple has patched in 2025

What Are These Vulnerabilities?

CVE-2025-14174 is a memory corruption vulnerability in WebKit's handling of web content. The flaw exists in the Angle graphics library, a component that translates OpenGL calls to platform-specific graphics APIs. When processing specially crafted web content, Angle can trigger an out-of-bounds memory access that corrupts browser memory.

Successful exploitation gives attackers code execution within the WebKit process—a foothold that can be chained with sandbox escapes or privilege escalation bugs to fully compromise a device.

CVE-2025-43529 is a related WebKit vulnerability patched in the same update. Apple provided minimal details, describing it only as an issue where "maliciously crafted web content" could lead to code execution.

Connection to Chrome Zero-Day

CVE-2025-14174 is the same vulnerability Google patched in Chrome on December 10, 2025. The shared root cause is the Angle library, which Chromium, WebKit, and other browser engines use for graphics rendering.

Google's Threat Analysis Group (TAG) and Apple's Security Engineering and Architecture (SEAR) team jointly reported the vulnerability on December 5. The coordinated disclosure suggests the same threat actor was exploiting the flaw against both Chrome and Safari users.

Other Chromium-based browsers including Microsoft Edge, Brave, Opera, and Vivaldi have also released patches.

Who Was Targeted?

Apple's advisory states the vulnerabilities "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."

That phrasing—"extremely sophisticated" and "specific targeted individuals"—is Apple's standard language for spyware campaigns. Commercial surveillance vendors like NSO Group, Intellexa, and Candiru have historically exploited WebKit zero-days to deploy spyware against journalists, activists, lawyers, and political dissidents.

Neither Apple nor Google has attributed the attacks to a specific vendor or nation-state. The involvement of both TAG and SEAR in the discovery suggests significant resources were applied to identifying and stopping the campaign.

Apple's Zero-Day Count Reaches Nine for 2025

With CVE-2025-14174 and CVE-2025-43529, Apple has now patched nine zero-day vulnerabilities exploited in the wild during 2025. That's on pace with recent years—the company patched 11 zero-days in 2024 and 20 in 2023.

WebKit remains a frequent target. Because Apple requires all browsers on iOS to use WebKit as their rendering engine, a single WebKit vulnerability affects Safari, Chrome, Firefox, and every other browser on the platform. This policy makes WebKit zero-days exceptionally valuable to attackers.

CISA added CVE-2025-14174 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within the standard remediation timeline.

What Devices Are Affected?

Every Apple device that displays web content needed this update:

• iPhone and iPad: iOS 26.2, iOS 18.7.3, iPadOS 26.2, iPadOS 18.7.3
• Mac: macOS Tahoe 26.2, Safari 26.2 for Sonoma and Sequoia
• Apple TV: tvOS 26.2
• Apple Watch: watchOS 26.2
• Apple Vision Pro: visionOS 26.2

If you're running older versions of macOS that no longer receive full updates, Safari 26.2 addresses the vulnerability on those systems.

How to Protect Yourself

1. Update all Apple devices to the latest available OS version via Settings > General > Software Update
2. Enable automatic updates if you haven't already—zero-day patches need to reach devices quickly
3. Restart your devices after updating to ensure the patches take effect
4. Consider Lockdown Mode if you're a potential spyware target—it significantly reduces the attack surface for these exploitation chains

Frequently Asked Questions

Am I at risk from this vulnerability?

If you're an average user, probably not. Apple's description indicates these were highly targeted attacks against specific individuals, not mass exploitation. But you should still update immediately—once vulnerabilities are public, broader exploitation often follows.

Does this affect only Safari?

No. On iOS and iPadOS, all browsers use WebKit regardless of branding. Chrome, Firefox, Edge, and any other browser on your iPhone or iPad were affected until you updated. On macOS, third-party browsers use their own engines, but Safari users needed the patch.

How do I know if my device was compromised?

There's no easy way to check. If you believe you may be a spyware target, Apple's Lockdown Mode provides some protection against unknown exploits. Organizations like Amnesty International and Citizen Lab have published detection guides for various spyware families.