Apple and Google have released urgent security updates to address a high-profile zero-day vulnerability affecting both WebKit and Chrome’s Blink engine. The flaw, now identified as CVE-2025-14174, has been actively exploited in highly targeted attacks against specific users.
Apple’s advisories confirm that two zero-day vulnerabilities in WebKit—CVE-2025-14174 and CVE-2025-43529—were exploited in the wild. CVE-2025-14174 is a memory corruption bug, while CVE-2025-43529 is a use-after-free issue. Both flaws allow attackers to execute arbitrary code through maliciously crafted web content. The vulnerabilities affect Safari, iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
Apple addressed these flaws in the release of iOS and iPadOS 26.2, iOS and iPadOS 18.7.3, macOS Tahoe 26.2, Safari 26.2 for macOS, tvOS 26.2, watchOS 26.2, and visionOS 26.2. The company emphasized that the zero-days were exploited in “extremely sophisticated attacks” targeting specific individuals on older iOS versions.
Google confirmed that CVE-2025-14174 also impacts Chrome, describing the flaw as an out-of-bounds memory access issue in the Angle graphics library. Because Angle is shared by Chrome’s Blink engine and Apple’s WebKit, the vulnerability affects multiple platforms. The flaw was discovered on December 5, and both tech giants appear to have coordinated disclosure and patching efforts.
Other Chromium-based browsers—including Microsoft Edge, Opera, Vivaldi, and Brave—are also affected. Microsoft and Vivaldi have already released updates to address the vulnerability. Meanwhile, CISA has added CVE-2025-14174 to its Known Exploited Vulnerabilities (KEV) catalog, signaling its active use in the wild.
Security experts suggest that commercial spyware vendors may have been exploiting these flaws, given the highly targeted nature of the attacks and the involvement of both Android and Apple ecosystems. Users are strongly advised to update affected devices and browsers immediately to mitigate risk.
