Overview
- Apple released iOS/iPadOS 26.2 and security backports such as iOS/iPadOS 18.7.3 to fix two exploited WebKit bugs tracked as CVE-2025-14174 and CVE-2025-43529, describing highly targeted, sophisticated attacks.
- CVE-2025-43529 was added to CISA’s Known Exploited Vulnerabilities catalog, triggering mandatory fixes for federal agencies by January 5, 2026.
- Google patched CVE-2025-14174 in Chrome after a joint report from Apple SEAR and Google TAG, and Microsoft updated Edge, with the flaw tied to an out‑of‑bounds issue in ANGLE.
- Singapore’s SingCert urged immediate updates, and Apple’s device lists show impacts to iPhone 11 and later and a wide range of recent iPad models.
- Beyond the zero‑days, Apple’s releases address 20+ additional issues including hidden photos exposure, sensitive payment token access, and FaceTime password field disclosure, with experts advising updates via Settings rather than links or pop‑ups.