Apple Patches Two Zero-Day Vulnerabilities Linked to Mysterious Exploited Chrome Flaw

Apple has released a new set of security updates to address two zero-day vulnerabilities that were being exploited in the wild and are tied to a recently disclosed flaw also patched in Google Chrome. The flaws, both located in the WebKit browser engine used by Safari and many third-party applications across Apple platforms, were being used in highly sophisticated targeted attacks before fixes were available, prompting urgent updates across iPhone, iPad, Mac, and other devices.

Overview of the Zero-Day Flaws

The two vulnerabilities consist of an out-of-bounds memory corruption flaw and a use-after-free issue in WebKit that could be triggered by maliciously crafted web content. These types of bugs can allow an attacker to execute arbitrary code on a victim’s device when they visit a specially constructed webpage or interact with manipulated content. Apple confirmed that one of the flaws corresponds to a mysterious zero-day previously patched by Google in its Chrome browser, designated as CVE-2025-14174, which involves improper memory handling in a shared graphics abstraction library.

Platforms and Products Affected

The patches were included in the December 2025 security updates across multiple Apple operating systems and products, including iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, and updates for Safari, tvOS, watchOS, and visionOS. Because WebKit is integral to Safari and embedded browsers in many apps, a wide range of Apple devices were at risk prior to the update. Users running older versions of these operating systems were particularly vulnerable.

Active Exploitation and Threat Context

Apple acknowledged that there were reports indicating the zero-day flaws had been exploited in highly targeted attacks against specific individuals. The involvement of Google’s Threat Analysis Group in discovering and correlating the Chrome and WebKit issues suggests that sophisticated attackers, possibly using commercial spyware or custom exploit chains, were involved. The coordinated disclosure and patching effort between Apple and Google reflects the critical nature of the underlying vulnerability and its cross-platform impact.

Links to Chrome Zero-Day

The Chrome zero-day, patched by Google in early December 2025 and later assigned the identifier CVE-2025-14174, was found in a graphics abstraction layer used by both Chrome’s Blink rendering engine and Apple’s WebKit. Because this component is shared through open source libraries, the underlying flaw could be exploited across different browsers and platforms. Google confirmed that the flaw was actively exploited before the patch rollout, which triggered collaboration with Apple to ensure simultaneous mitigation.

Security Updates and Mitigation

Apple’s security updates address both zero-days and additional vulnerabilities affecting WebKit and other system components. Users are strongly advised to install the latest updates immediately to protect against ongoing exploitation. Patching is especially important for devices used to access sensitive information or corporate resources, as attackers exploiting these flaws could gain code execution capabilities that bypass normal security safeguards.

What Users Should Do

To mitigate the risk of compromise, users should ensure their devices are updated to the latest operating system versions and enable automatic updates where possible. In enterprise environments, IT administrators should prioritize deployment of the latest patches through managed update systems and enforce compliance to reduce exposure. Users and organizations should also remain vigilant for suspicious web content and avoid visiting untrusted sites or opening unexpected links that could trigger exploit attempts.

Broader Implications

The discovery of these zero-day vulnerabilities and their exploitation before patch availability highlights the continued challenges faced by mobile and browser platform vendors in securing widely used code libraries against advanced threats. With WebKit and related graphics processing libraries integral to browsing and web app experiences, even subtle flaws can have far-reaching implications for user privacy and security when weaponized by attackers.

Conclusion

Apple’s emergency security updates patching two zero-day vulnerabilities tied to a mysterious Chrome exploit serve as a timely reminder of the dynamic threat landscape. Users and administrators should act quickly to update affected devices and apply defense-in-depth strategies to mitigate similar emerging threats. Keeping software up to date remains one of the most effective ways to reduce the risk posed by actively exploited vulnerabilities across platforms.