Overview
- Apple released iOS 26.2 and platform updates that patch two exploited WebKit vulnerabilities, CVE-2025-43529 and CVE-2025-14174, which Apple says targeted specific individuals on pre‑iOS 26 devices.
- Google updated its Chrome advisory to name CVE-2025-14174—credited to Apple Security Engineering and Architecture and Google Threat Analysis Group—confirming a joint discovery and disclosure.
- Both flaws impact WebKit, exposing all iOS browsers and aligning with the hallmarks of highly targeted mercenary or state‑linked spyware campaigns, though no actor has been publicly attributed.
- CISA directed federal users to update Chrome and other Chromium browsers by January 2 or discontinue use, and security experts advise all users to patch without delay.
- Apple also shipped fixes across macOS, watchOS, tvOS, visionOS, Safari, and issued iOS 18.7.3 for older iPhones to receive the same security content.