Apple and Google have issued emergency security updates after discovering two zero-day vulnerabilities actively exploited in highly targeted attacks against specific individuals, likely orchestrated by government-backed hackers or mercenary spyware operators.
The coordinated patch release, announced this week, addresses critical flaws in WebKit (Apple's browser engine) and Chrome's ANGLE graphics library that were weaponized before vendors could develop fixes.
Apple acknowledged the vulnerabilities "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."
The first flaw, CVE-2025-43529, is a use-after-free vulnerability in WebKit that could allow arbitrary code execution when processing malicious web content.
The second, CVE-2025-14174, involves an out-of-bounds memory access issue in Chrome's ANGLE (Almost Native Graphics Layer Engine) library, specifically affecting its Metal renderer. Both vulnerabilities received CVSS severity scores indicating high-risk exploitation potential.
Researchers from Apple Security Engineering and Architecture (SEAR) and Google's Threat Analysis Group (TAG) discovered and reported the flaws. TAG specializes in tracking government-sponsored hackers and commercial spyware makers like NSO Group and Paragon Solutions, strongly suggesting nation-state involvement in these attacks.
The WebKit vulnerability is particularly concerning as it affects all third-party browsers on iOS and iPadOS, including Chrome, Edge, and Firefox, which are required to use Apple's rendering engine on those platforms.
Apple has released patches for iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, watchOS 26.2, tvOS 26.2, visionOS 26.2, and Safari 26.2. Google patched Chrome to version 143.0.7499.109/110.
Users should immediately update all devices to the latest versions. These patches mark the ninth and tenth zero-day vulnerabilities Apple has addressed in 2025, highlighting the persistent threat from sophisticated threat actors targeting journalists, dissidents, and human rights activists with advanced spyware tools.