Overview
- Apple released iOS 26.2 with backported iOS 18.7.3 and updates for macOS, tvOS, watchOS, visionOS, and Safari to fix two exploited WebKit flaws tracked as CVE-2025-43529 and CVE-2025-14174.
- Google updated its Chrome advisory to identify CVE-2025-14174 as an out‑of‑bounds access in ANGLE, crediting Apple SEAR and Google TAG, and tying it to the same issue Apple fixed in WebKit.
- Apple said the bugs may have been used in an "extremely sophisticated" attack against specific targeted individuals on versions of iOS prior to iOS 26.
- U.S. cyber authorities have urged prompt patching, with federal guidance mandating updates for CVE-2025-14174 across Chrome and other Chromium-based browsers by early January.
- Because WebKit powers every browser on iOS, the flaws exposed multiple apps and browsers, and both companies have withheld detailed indicators as investigations continue.