Apple rolled out security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari browser to fix two WebKit vulnerabilities that the company says have been exploited in the wild. One of the flaws is the same issue Google addressed last week in its Chrome browser.
The first vulnerability, tracked as CVE-2025-43529, is a use-after-free bug in WebKit that could allow attackers to execute arbitrary code via maliciously crafted web content. The second, CVE-2025-14174, is a memory corruption issue that could also be exploited by specially crafted web pages. Apple warned that both flaws “may have been exploited in an extremely sophisticated attack against specific targeted individuals” running versions of iOS prior to iOS 26.
CVE-2025-14174 is notably the same vulnerability Google patched in Chrome on December 10, describing it as an out-of-bounds memory access in the Almost Native Graphics Layer Engine (ANGLE) library used by its Metal renderer. Google acknowledged at the time that it was aware of active exploitation.
Apple’s Security Engineering and Architecture team and Google’s Threat Analysis Group jointly discovered and reported the issue, while Apple credited Google’s researchers with uncovering CVE-2025-43529. The involvement of Google’s Threat Analysis Group, which typically tracks mercenary spyware and state-sponsored campaigns, indicates the exploits were likely used in highly targeted attacks.
Separately, the US Cybersecurity and Infrastructure Security Agency has recently added a high-severity flaw affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities catalog. The issue, CVE-2018-4063, is an unrestricted file upload vulnerability that can be abused to achieve remote code execution via a malicious HTTP request.