Emergency 0-Day Patches Issued by Apple and Google for Actively Exploited Vulnerabilities
Apple and Google have released emergency security updates to address zero-day vulnerabilities that were actively exploited in sophisticated attacks targeting users of their platforms. Apple issued patches across its ecosystem—including iPhones, iPads, and Macs—to fix two WebKit bugs, warning that these flaws had been abused in highly targeted attacks against specific individuals. Google, in parallel, released a Chrome Stable channel update to address multiple security flaws, including CVE-2025-14174, an out-of-bounds memory access vulnerability that was already being exploited in the wild. Both companies provided limited technical details but confirmed that the vulnerabilities were under active attack and that coordinated investigation revealed overlap in their findings, with Apple's security team and Google's Threat Analysis Group credited for discovery.
Security researchers have noted that these vulnerabilities could be weaponized by commercial spyware vendors, and there is evidence suggesting that the flaws were exploited before patches were available. The urgency of the situation has led to widespread advisories urging users to update their devices immediately to mitigate the risk of compromise. The lack of detailed disclosure from both Apple and Google underscores the sensitive nature of the attacks and the ongoing threat posed by sophisticated adversaries targeting mainstream software platforms used by billions worldwide.
Related Entities
Vulnerabilities
Threat Actors
Sources
Related Stories
Emergency Patches for Apple and Google Zero-Day Exploits in Targeted Attacks
Apple and Google released emergency security updates after discovering that zero-day vulnerabilities in their software were being actively exploited in highly targeted attacks. The campaign, attributed to nation-state actors and commercial spyware vendors, focused on high-value individuals rather than the general public. Apple addressed two critical WebKit vulnerabilities, CVE-2025-14174 and CVE-2025-43529, which were exploited in sophisticated attacks against iPhones, iPads, and Macs running iOS versions prior to 26. Google also patched a Chrome vulnerability discovered in collaboration with Apple’s security team and Google’s Threat Analysis Group, indicating a coordinated response to a broader espionage campaign. The Apple updates, released as iOS 26.2 and iPadOS 26.2, fixed the WebKit flaws that allowed arbitrary code execution and memory corruption through malicious web content. These vulnerabilities affected iPhone 11 and later models, as well as several iPad variants. In addition to the WebKit issues, Apple resolved over 30 other vulnerabilities across various components, including the Kernel and Screen Time. Both companies withheld detailed technical information, suggesting ongoing investigations into the attacks. The rapid deployment of these patches underscores the severity and sophistication of the threat, with both Apple and Google urging users to update their devices immediately.
3 months agoCoordinated Disclosure of Zero-Day Exploited in Chrome ANGLE and Apple WebKit
Google and Apple have both released emergency security updates to address a high-severity zero-day vulnerability, tracked as CVE-2025-14174, which was actively exploited in the wild. The flaw, an out-of-bounds memory access issue in the ANGLE graphics component, affected Google Chrome and was also present in Apple’s WebKit engine, impacting multiple Apple devices including iPhones, iPads, Macs, and other platforms. Google initially limited technical details but confirmed exploitation, prompting urgent updates for Chrome users, while Apple’s advisory highlighted that the attacks were highly sophisticated and targeted specific individuals running older iOS versions. The vulnerability was discovered by Google’s Threat Analysis Group and addressed through coordinated disclosure between Google and Apple. Apple patched the flaw across iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari, while Google updated Chrome to mitigate the risk. Both companies have withheld detailed attack information, but the exploitation pattern suggests use in targeted spyware campaigns. Users and organizations are strongly advised to update affected devices immediately to reduce exposure to ongoing attacks leveraging this zero-day.
2 months ago
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
1 months ago