Apple and Google pushed emergency patches in mid-December after researchers tied two actively exploited flaws to highly targeted attacks that abused WebKit and Google’s ANGLE graphics library.
The fast timeline mattered: one vulnerability had already been weaponized in the wild against a small set of victims, and the other showed up in Chrome first before Apple rolled fixes across iPhone, iPad, Mac and more.
What went wrong
Two tracked bugs took center stage:
- CVE-2025-43529 — a WebKit use-after-free that can lead to arbitrary code execution when a device processes malicious web content. Google’s Threat Analysis Group (TAG) is credited with finding this one.
- CVE-2025-14174 — an out-of-bounds memory-access issue tied to the ANGLE renderer (the component Chrome uses to talk to system graphics layers). Apple and Google TAG were credited for reporting this flaw; Google said an exploit existed in the wild and the U.S. CISA added the bug to its Known Exploited Vulnerabilities catalog.
- Update immediately: install iOS/iPadOS/macOS/tvOS/watchOS/visionOS updates as they appear for your hardware.
- Update desktop browsers: Chrome users should apply the 143.0.7499.x updates; other Chromium-based browsers will follow with their own builds.
- Be especially cautious if you or your organization are likely targets: security researchers believe these flaws were used in precise, high-value spyware campaigns.
Because WebKit is Apple's browser engine and also the rendering layer that all third-party browsers on iOS must use, a WebKit flaw lets attackers target many different apps and browsers on Apple devices from a single vector.
Who found the problems — and what that implies
Both Apple’s security teams and Google’s TAG were involved in discovery and reporting. That collaboration — and Google’s initial note that the bug was being actively exploited — strongly points to targeted, sophisticated operations rather than broad spray-and-pray campaigns. Historically, that’s the signature of mercenary or state-level spyware aimed at journalists, activists or high-value individuals.
Security vendors and reporting outlets describe these as "highly targeted" attacks. The pattern is familiar: stealthy zero-click or web-based chains that pivot from a malicious page into full device compromise.
Where the fixes landed
Apple published updates across its ecosystem, including iOS and iPadOS 26.2 (the release that also included other feature and UI tweaks), macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2 and Safari 26.2. If you want the short route to the iOS update notes and the non-security changes shipped with 26.2, see the coverage of iOS 26.2 landing.
Google released Chrome patches to address the ANGLE flaw and a handful of other security issues; Chrome’s Windows and macOS builds were updated in the 143.0.7499.x line. The Chromium/ANGLE commit messages and follow-ups revealed that improper buffer sizing in the Metal renderer was likely the root cause.
Devices affected
Apple’s advisories list a broad range of modern hardware: iPhone 11 and later, many recent iPad Pro/Air/mini models, current Macs and newer Apple Watch and Apple TV models. The specifics differ by OS and device family, so check your device’s Software Update screen. To find the patch on an iPhone or iPad go to Settings > General > Software Update.
Streaming and living-room hardware were in the mix too — the fixes extended to Apple TV devices. If you’ve got an Apple TV in the house, it’s worth applying the update sooner rather than later.
What you should do now
If you rely on an Apple wearable for notifications or device unlocking, make sure watchOS is patched as well — yes, that includes your Apple Watch if it’s part of your daily workflow.
Beyond the immediate fixes
Apple’s advisory also bundled dozens of additional patches — kernel privilege escalations, Screen Time information leaks and various WebKit hardening changes — the usual annual drift toward a more resilient platform. That breadth is a reminder that modern updates frequently combine discreet emergency patches with routine maintenance.
For readers tracking Apple’s cadence and what the company may ship next, these rapid patches sit alongside the company’s broader roadmap; Apple continues refining features and security ahead of future releases documented in recent leaks and roadmaps about iOS 26.4 and beyond. If you’re curious about what’s coming down the line, read the piece on Apple’s next moves and roadmap.
Attackers have shown they’ll chain together small, subtle flaws to get full device access. Installing these updates doesn’t erase that risk entirely, but it removes the specific plumbing the exploits used. Do the update sooner rather than later — and keep an eye on official advisories if you manage devices for other people or for an organization.