Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks 

Summary 

OEM	Apple
Severity	Critical
CVSS Score	9.8
CVEs	CVE-2025-43529, CVE-2025-14174, CVE-2025-46285 and more
POC Available	No
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

Apple released iOS 26.2 and iPadOS 26.2 on December 12, 2025, addressing two actively exploited zero-day flaws in WebKit that were used in sophisticated targeted attacks. These updates patch multiple vulnerabilities across WebKit, Kernel, Screen Time and other components.

The primary fixes target two WebKit zero-days exploited against specific individuals prior to iOS 26, enabling arbitrary code execution through malicious web content.

Additional patches resolve kernel privilege escalation, Screen Time data leaks exposing Safari history, Messages sensitive data access and issues in Foundation, FaceTime, and curl. Users & Administrators are urged to update to the latest version of iOS & iPadOS. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​Use-after-free vulnerability in WebKit	CVE-2025-43529	iOS/iPadOS < 26.2	Critical	26.2
Memory corruption vulnerability in WebKit	CVE-2025-14174	iOS/iPadOS < 26.2	Critical	26.2
An integer overflow vulnerability	CVE-2025-46285	iOS/iPadOS < 26.2	High	26.2

Technical Summary 

The primary WebKit vulnerabilities involve use-after-free errors and memory corruption during web content processing, allowing remote attackers to execute arbitrary code without user interaction.

Additional fixes cover kernel integer overflows for privilege escalation, logging flaws in Screen Time and Messages exposing sensitive data like Safari history and bounds check failures in Foundation and AppleJPEG leading to crashes or data access. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-43529	WebKit	Use-after-free enabling arbitrary code execution via web content	Full device compromise through browsing
CVE-2025-14174	WebKit	Memory corruption with improved input validation	Arbitrary code execution via malicious websites
CVE-2025-46285	Kernal	Integer overflow addressed by adopting 64-bit timestamps	Root privilege escalation for apps

There are more vulnerabilities that has been fixed with this update. 

Recommendations 

Update immediately: Settings > General > Software Update to iOS/iPadOS 26.2. or the 

If immediate update is not possible 

• Avoid suspicious websites/links (primary WebKit vector) 

• Monitor for unusual behavior and review Screen Time logs 

Conclusion 
iOS 26.2 patches actively exploited zero-days and dozens of flaws that could lead to code execution, root access, and data leaks. Organizations should prioritize iOS 26.2 deployment and enhanced monitoring for ongoing spyware campaigns. 

References: 

• https://support.apple.com/en-us/125884 

• https://cybersecuritynews.com/apple-0-day-vulnerabilities-exploited-2/