Overview
- Apple shipped iOS and iPadOS 26.2, macOS Tahoe 26.2, Safari 26.2, watchOS, tvOS, visionOS updates, plus an iOS/iPadOS 18.7.3 backport, to fix CVE-2025-14174 and CVE-2025-43529.
- Google patched CVE-2025-14174 in Chrome’s ANGLE component and Microsoft fixed it in Edge on December 11, following discovery credited to Apple SEAR and Google TAG.
- Apple says the flaws were leveraged in an extremely sophisticated campaign against specific individuals on pre‑iOS 26 devices, likely triggered by malicious web content.
- CISA added CVE-2025-14174 to its Known Exploited Vulnerabilities catalog on December 12, and Singapore’s SingCert issued an alert urging users to update with no local cases reported.
- Impacted hardware spans iPhone 11 and later and multiple recent iPad models, and experts advise updating from device settings, enabling MFA, and maintaining strong, unique passwords.