CVE-2025-43529 & CVE-2025-14174: Apple and Google’s Zero-Day Patches

Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities (CVE-2025-43529 & CVE-2025-14174) in WebKit. One of these flaws overlaps with a zero-day vulnerability that Google patched days earlier, pointing to coordinated disclosure and a shared threat landscape.

The limited public detail and Apple’s wording point to targeted, high-risk exploitation.

TL;DR

Apple patched two WebKit zero-days: CVE-2025-43529 and CVE-2025-14174
Apple confirmed active exploitation in “extremely sophisticated attacks”
One CVE overlaps with a Google Chrome zero-day patched the previous week
Affected systems include iOS, iPadOS, macOS, and Safari

Vulnerability Details

CVE-2025-43529

Component: WebKit
Vulnerability type: Use-after-free
Impact: Arbitrary code execution
Attack vector: Maliciously crafted web content

CVE-2025-14174

Component: WebKit
Vulnerability type: Memory corruption
Impact: Potential code execution
Attack vector: Malicious web content

Apple confirmed awareness that both vulnerabilities may have been exploited in targeted attacks against users running older versions of iOS.

CVE-2025-14174 details (Source: SOCRadar Vulnerability Intelligence)

Affected Apple Platforms

Apple deployed fixes on December 12 across multiple platforms:

iOS 26.2
iPadOS 26.2
iOS 18.7.3
iPadOS 18.7.3
macOS Tahoe 26.2

Given WebKit’s role across system apps, the exposure extended beyond Safari alone.

Apple stated that the flaws may have been used in highly targeted, sophisticated attacks against older iOS versions. The patches apply to devices as far back as iPhone 11 and several earlier iPad models.

Apple shared no further technical detail, noting that it does not discuss security issues publicly. The fixes were released alongside additional updates addressing WebKit, Screen Time, and other components.

Connection to Google’s Chrome Zero-Day

Google first fixed the flaw last week and only marked it as high risk, without sharing details. It’s confirmed that the issue was found on December 5 and involved a memory access bug in ANGLE, a graphics component also used by WebKit, which explains the impact on Apple.

Google issued an emergency Chrome update shortly before Apple’s disclosure. The company later confirmed that the Chrome flaw was CVE-2025-14174, the same CVE patched by Apple.

In Google’s advisory, the vulnerability was described as an out-of-bounds memory access issue in ANGLE, a shared graphics abstraction layer.

Refer to SOCRadar’s blog for further details: Google Chrome Zero-Day Actively Exploited via ANGLE Graphics Component

How Apple and Google share the same CVE

Apple and Google both patched CVE-2025-14174, which is the clearest technical link between the two sets of updates.

Apple lists CVE-2025-14174 as a WebKit memory corruption issue triggered by maliciously crafted web content, and Apple ties it to reports of highly targeted exploitation.

Google later used the same CVE ID in its Chrome Stable update and stated that an exploit exists in the wild. In Google and NVD descriptions, the same CVE maps to an out-of-bounds memory access bug in ANGLE, which Chrome uses for graphics handling.

SOCRadar’s Vulnerability Intelligence

Mitigation and Recommendations

Apple has released patches intended to address the identified zero-day vulnerabilities. Applying these updates remains the most effective mitigation.

Immediate actions

Update all Apple devices to the latest available versions of iOS, iPadOS, and macOS without delay.
Prioritize devices used by executives, journalists, researchers, and other high-risk users.
Ensure Safari and all system apps are updated, as WebKit is used beyond the browser.

Enterprise and security team actions

Enforce update compliance through MDM and endpoint management tools.
Monitor devices for signs of exploitation, such as abnormal Safari crashes, unexpected process behavior, or unexplained privilege changes.
Review web traffic and endpoint telemetry for indicators tied to malicious web content delivery.

Risk reduction measures

Limit exposure to untrusted web content on high-risk devices.
Apply least-privilege controls where possible to reduce post-exploitation impact.
Maintain visibility into cross-vendor vulnerability disclosures, as shared components can introduce indirect risk.

Organizations should treat these vulnerabilities as high priority due to confirmed in-the-wild exploitation and the broad role of WebKit across Apple platforms.

Conclusion

Apple’s emergency patches address two serious zero-day vulnerabilities with confirmed real-world exploitation. The overlap with Google’s Chrome zero-day reinforces the risk posed by shared components and browser engines.