Apple iOS 26 WebKit Zero-Day Patches Leave Unpatched iPhones and iPads Exposed
Apple disclosed and patched two critical WebKit vulnerabilities, CVE-2025-43529 and CVE-2025-14174, that could allow attackers to execute code via Safari and potentially gain broad access to affected iPhones and iPads, including sensitive data such as passwords and financial information. Reporting describes the issues as zero-click/low-interaction style browser exploitation stemming from memory-handling flaws in WebKit, with claims they were exploited as zero-days in the wild prior to Apple’s fixes.
The fixes are reported as delivered in iOS 26, creating exposure risk for users who have not upgraded and for devices that cannot move beyond older iOS/iPadOS versions; multiple sources cite slow adoption of iOS 26, leaving a large population potentially unpatched. Separate coverage encouraging upgrades to iOS 26 frames security as a primary driver (patching “nasty security bugs”), reinforcing the operational takeaway for enterprises: accelerate iOS 26 rollout where supported, and apply compensating controls (e.g., device refresh planning, stricter web content controls, and MDM-enforced update compliance) for fleets that cannot upgrade.
Sources
Related Stories
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
1 months agoEmergency Patches for Apple and Google Zero-Day Exploits in Targeted Attacks
Apple and Google released emergency security updates after discovering that zero-day vulnerabilities in their software were being actively exploited in highly targeted attacks. The campaign, attributed to nation-state actors and commercial spyware vendors, focused on high-value individuals rather than the general public. Apple addressed two critical WebKit vulnerabilities, CVE-2025-14174 and CVE-2025-43529, which were exploited in sophisticated attacks against iPhones, iPads, and Macs running iOS versions prior to 26. Google also patched a Chrome vulnerability discovered in collaboration with Apple’s security team and Google’s Threat Analysis Group, indicating a coordinated response to a broader espionage campaign. The Apple updates, released as iOS 26.2 and iPadOS 26.2, fixed the WebKit flaws that allowed arbitrary code execution and memory corruption through malicious web content. These vulnerabilities affected iPhone 11 and later models, as well as several iPad variants. In addition to the WebKit issues, Apple resolved over 30 other vulnerabilities across various components, including the Kernel and Screen Time. Both companies withheld detailed technical information, suggesting ongoing investigations into the attacks. The rapid deployment of these patches underscores the severity and sophistication of the threat, with both Apple and Google urging users to update their devices immediately.
3 months ago
Apple security release notes and third-party reporting on iOS WebKit risk
Apple published multiple security release notes and update entries across its platforms, including iOS/iPadOS point releases (e.g., iOS/iPadOS 26.2.1, 18.7.4, 16.7.13, 15.8.6, 12.5.8) and watchOS 26.2.1, with Apple indicating **no published CVE entries** for several of the January 2026 point updates. Apple also refreshed or republished detailed historical security-content pages for older products, including macOS Big Sur 11.7.9 (listing fixes such as **CVE-2023-34425** kernel-privilege arbitrary code execution in Apple Neural Engine, **CVE-2023-32364** sandbox restriction bypass, and other privacy/logic issues), Xcode 14.1 (including multiple *git* issues such as **CVE-2022-29187**, **CVE-2022-39253**, **CVE-2022-39260**, plus an Xcode Server privilege issue **CVE-2022-42797**), and visionOS 2 for Apple Vision Pro (including issues like **CVE-2024-44126** heap corruption from crafted files, **CVE-2024-27876** arbitrary file write via archive unpacking race condition, and additional sandbox/data-access weaknesses). Separately, a vendor blog post warned that **critical WebKit vulnerabilities** could enable remote compromise of iOS devices via a malicious webpage (arbitrary code execution and potential credential/data theft), emphasizing patch latency as a key risk; however, the post does not clearly map its claims to specific Apple CVEs or to the “no published CVE entries” iOS/iPadOS point releases listed on Apple’s security releases page. A Reddit /r/netsec item about a **one-click** vulnerability in *IDIS Cloud Manager (ICM) Viewer* (triggered by clicking an untrusted link) is unrelated to Apple/WebKit and does not align with the Apple security-release content.
1 months ago