What Apple operating system versions were released in this security update?

Apple released OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. These updates patch over 50 security vulnerabilities, including two actively exploited flaws in WebKit.

What are the two actively exploited zero-day vulnerabilities?

The two actively exploited vulnerabilities are CVE-2025-43529, a use-after-free vulnerability in WebKit that allows attackers to execute arbitrary code, and CVE-2025-14174, a memory corruption issue with a CVSS score of 8.8 that can lead to memory corruption through malicious web content. Both flaws were discovered through collaboration between Apple and Google Threat Analysis Group and were exploited in coordinated attacks against targeted individuals.

What critical vulnerabilities beyond the zero-days were patched?

Key security fixes include CVE-2025-46285 (kernel integer overflow allowing apps to gain root privileges), CVE-2025-43512 (kernel logic issue enabling privilege escalation on macOS), CVE-2025-46291 (LaunchServices vulnerability allowing apps to bypass Gatekeeper checks on macOS), and multiple vulnerabilities affecting Screen Time, FaceTime, Messages, Photos, and other system components.

How can users install these security updates?

Users can update through Settings > General > Software Update on iOS and iPadOS devices, or System Settings > General > Software Update on macOS. Users are strongly urged to update immediately due to the actively exploited vulnerabilities.

Advisory

Apple patches two actively exploited WebKit flaws

Q: Which devices are eligible for these security updates?

The security updates are available for iPhone 11 and later models, iPad Pro (12.9-inch 3rd generation and later), iPad Pro (11-inch 1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), iPad mini (5th generation and later), and all Mac computers running macOS Tahoe.

published: Dec. 13, 2025

Take action: This one is important and urgent. The update fixes two actively exploited flaws and Google and Apple don't share any technical details. So it's very smart to update your Apple ecosystem (all iPhones, iPads, and Mac computers). You may not think you are important enough for a targeted attack, but the flaws will become common knowledge soon. And then everyone becomes a target.

Learn More

Apple released OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2 patching over 50 security vulnerabilities, including two actively exploited flaws in WebKit.

Both actively flaws were discovered through collaboration between Apple and Google Threat Analysis Group and Google already released an emergency update for Chrome.

The security updates are available iPhone 11 and later models, iPad Pro (12.9-inch 3rd generation and later), iPad Pro (11-inch 1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), iPad mini (5th generation and later), and all Mac computers running macOS Tahoe.

The two actively exploited vulnerabilities are in WebKit, the browser engine that powers Safari and multiple iOS and macOS applications:

CVE-2025-43529 is a use-after-free vulnerability that allows attackers to execute arbitrary code when processing maliciously crafted web content
CVE-2025-14174 (CVSS score 8.8) is a memory corruption issue that can lead to memory corruption through malicious web content. Google described it as an out-of-bounds memory access in the open-source ANGLE library's Metal renderer.

Apple acknowledged that both flaws were exploited in coordinated attacks against targeted individuals, consistent with patterns observed in sophisticated spyware campaigns.

Beyond the zero-days, the iOS 26.2 and macOS Tahoe 26.2 updates address multiple vulnerabilities across system components. Key security fixes include:

CVE-2025-46285 - Kernel integer overflow allowing apps to gain root privileges
CVE-2025-43512 - Kernel logic issue enabling privilege escalation (macOS only)
CVE-2025-46291 - LaunchServices vulnerability allowing apps to bypass Gatekeeper checks (macOS only)
CVE-2025-46281 - File Bookmark logic issue enabling sandbox escape (macOS only)
CVE-2025-43527 - StorageKit permissions flaw allowing root privilege escalation (macOS only)
CVE-2025-46277 - Screen Time logging flaw enabling apps to access Safari browsing history
CVE-2025-43538 - Screen Time data exposure vulnerability allowing access to sensitive user data
CVE-2025-43542 - FaceTime vulnerability that could unintentionally reveal password fields during remote device control sessions
CVE-2025-46276 - Messages information disclosure issue allowing apps to access sensitive user data
CVE-2025-43428 - Photos configuration flaw permitting unauthorized viewing of Hidden Photos Album
CVE-2025-46288 - App Store permissions issue allowing apps to access sensitive payment tokens
CVE-2025-43523, CVE-2025-43519, CVE-2025-43522, CVE-2025-43521 - Multiple AppleMobileFileIntegrity vulnerabilities enabling access to sensitive user data, with downgrade issues affecting Intel-based Mac computers (macOS only)
CVE-2025-46289 - AppSandbox logic issue allowing access to protected user data (macOS only)
CVE-2025-43517 - Call History privacy issue exposing protected user data through inadequate log redaction (macOS only)
CVE-2025-46283 - CoreServices logic flaw enabling access to sensitive user data (macOS only)
CVE-2025-43509 - Networking vulnerability allowing apps to access sensitive user data (macOS only)
CVE-2025-43410 - Notes cache handling issue allowing physical attackers to view deleted notes (macOS only)
CVE-2025-43526 - Safari Lockdown Mode bypass on Mac computers (macOS only)
CVE-2025-43416 - sudo logic issue allowing access to protected user data (macOS only)
CVE-2025-43516 - Voice Control session management flaw enabling unauthorized transcription (macOS only)
CVE-2025-43530 - VoiceOver vulnerability allowing apps to access sensitive user data (macOS only)
CVE-2024-7264 and CVE-2025-9086 - Multiple vulnerabilities in the curl open-source library
CVE-2025-5918 - libarchive file processing vulnerability leading to memory corruption
CVE-2024-8906 - Safari Downloads origin association vulnerability (macOS only)
CVE-2025-43533 - Multi-Touch memory corruption issues from malicious HID devices, discovered by Google Threat Analysis Group

The updates also patch additional WebKit vulnerabilities, including CVE-2025-43541 (type confusion), CVE-2025-43536 (use-after-free), CVE-2025-43535 (memory handling), CVE-2025-43501 (buffer overflow), CVE-2025-43531 (race condition), CVE-2025-46282 (permissions issue allowing apps to access sensitive user data on macOS), and CVE-2025-43511 (WebKit Web Inspector use-after-free).

Foundation framework received fixes for CVE-2025-43518, which addressed a logic issue allowing apps to inappropriately access files through the spellcheck API, and CVE-2025-43532, a memory corruption vulnerability.

The Calling Framework was updated to prevent FaceTime caller ID spoofing (CVE-2025-46287), while the Icons component received restrictions to prevent apps from identifying installed applications (CVE-2025-46279).

Additional macOS-specific patches addressed vulnerabilities in Game Center (CVE-2025-46278), MDM Configuration Tools (CVE-2025-43513), Siri (CVE-2025-43514), SoftwareUpdate (CVE-2025-43519), and Audio (CVE-2025-43482).

Users are strongly urged to update immediately through Settings > General > Software Update on iOS and iPadOS devices, or System Settings > General > Software Update on macOS.

Apple patches two actively exploited WebKit flaws

Read More
Lexmark printers vulnerability let hackers execute code, remotely …
Microsoft releases May 2025 Patch Tuesday updates addressing …
Over 150 models of Lexmark printers have critical …
WhisperPair Flaw Enables Bluetooth Hijacking and Tracking
Critical security vulnerability patched in qBittorrent