Apple iOS & iPadOS Patch 0-Days Vulnerabilities, Exploited in Targeted Attacks
Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks
Summary
| OEM | Apple |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-43529, CVE-2025-14174, CVE-2025-46285 and more |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Apple released iOS 26.2 and iPadOS 26.2 on December 12, 2025, addressing two actively exploited zero-day flaws in WebKit that were used in sophisticated targeted attacks. These updates patch multiple vulnerabilities across WebKit, Kernel, Screen Time and other components.
The primary fixes target two WebKit zero-days exploited against specific individuals prior to iOS 26, enabling arbitrary code execution through malicious web content.
Additional patches resolve kernel privilege escalation, Screen Time data leaks exposing Safari history, Messages sensitive data access and issues in Foundation, FaceTime, and curl. Users & Administrators are urged to update to the latest version of iOS & iPadOS.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Use-after-free vulnerability in WebKit | CVE-2025-43529 | iOS/iPadOS < 26.2 | Critical | 26.2 |
| Memory corruption vulnerability in WebKit | CVE-2025-14174 | iOS/iPadOS < 26.2 | Critical | 26.2 |
| An integer overflow vulnerability | CVE-2025-46285 | iOS/iPadOS < 26.2 | High | 26.2 |
Technical Summary
The primary WebKit vulnerabilities involve use-after-free errors and memory corruption during web content processing, allowing remote attackers to execute arbitrary code without user interaction.
Additional fixes cover kernel integer overflows for privilege escalation, logging flaws in Screen Time and Messages exposing sensitive data like Safari history and bounds check failures in Foundation and AppleJPEG leading to crashes or data access.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-43529 | WebKit | Use-after-free enabling arbitrary code execution via web content | Full device compromise through browsing |
| CVE-2025-14174 | WebKit | Memory corruption with improved input validation | Arbitrary code execution via malicious websites |
| CVE-2025-46285 | Kernal | Integer overflow addressed by adopting 64-bit timestamps | Root privilege escalation for apps |
There are more vulnerabilities that has been fixed with this update.
Recommendations
Update immediately: Settings > General > Software Update to iOS/iPadOS 26.2. or the
If immediate update is not possible
- Avoid suspicious websites/links (primary WebKit vector)
- Monitor for unusual behavior and review Screen Time logs
Conclusion
iOS 26.2 patches actively exploited zero-days and dozens of flaws that could lead to code execution, root access, and data leaks. Organizations should prioritize iOS 26.2 deployment and enhanced monitoring for ongoing spyware campaigns.
References:
Recent Comments