Following the discovery of two critical zero-day vulnerabilities in the WebKit browser engine, Apple has urgently released security updates for iPhone and iPad users.
Both vulnerabilities reside in WebKit , the engine that powers Safari and displays web content in the iOS ecosystem.
Filed under CVE-2025-43529 and CVE-2025-14174, they allow attackers to activate malicious code by tricking victims into visiting a specific web page.
To trigger the exploit, an attacker does not need to have physical access to the device; all that is needed is for maliciously crafted web content, such as a compromised website or malicious advertisement, to be processed .
Apple’s advisory states: ” Apple is aware of a report that this issue may have been exploited in a highly sophisticated attack against specific individuals in iOS versions prior to iOS 26.”
This formulation is usually reserved for state-sponsored mercenary spyware campaigns , in which high-value targets such as journalists, diplomats and dissidents are targeted.
The two flaws exploit different weaknesses in the way the browser manages memory:
CVE-2025-43529 (Use-After-Free): Discovered by the Google Threat Analysis Group (TAG), this vulnerability involves a “use-after-free” error. In simple terms, the program attempts to use memory after it has been freed, allowing attackers to manipulate it to execute arbitrary code . Apple has addressed this issue with improved memory management (WebKit Bugzilla: 302502).
CVE-2025-14174 (Memory Corruption) : Attributed to both Apple and Google TAG, this issue allows memory corruption, a condition that can crash a system or open a backdoor for attackers . It has been fixed with improved input validation (WebKit Bugzilla: 303614).
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
