Everything you need to know about Google and Apple’s emergency zero-day patches

Apple, Google, and other browser makers have rolled out patches for zero-day bugs that are already being used by threat actors in "sophisticated" attacks.

Google noted that an exploit for one of the bugs exists in the wild already and was spotted by its Threat Analysis Group – that largely works on serious attacks led by state actors or similar – and was sorted via coordination with Apple engineers.

"For these Apple- and ANGLE-related issues, the quiet, coordinated disclosure strongly suggests the vendors viewed the bugs as high-risk and potentially already known to capable adversaries," Douglas McKee, director of vulnerability intelligence at Rapid7, told Dark Reading.

One of the bugs impacts other browser makers using Chromium, including Microsoft Edge and Vivaldi, which have also rolled out patches this week.

Patches for Apple

Alongside a set of other updates, Apple issued emergency patches for two issues in WebKit for devices running versions of its software before iOS 26. The flaws, CVE-2025-14174 and CVE-2025-43529, were credited, in full or in part, to Google Threat Analysis Group.

The first meant that accessing a webpage with "maliciously crafted" content could lead to arbitrary code execution. "A use-after-free issue was addressed with improved memory management," Apple said in a support document.

For the second, Apple said that malicious websites could lead to memory corruption, saying the issue was "addressed with improved validation."

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," the company said in a support document detailing both issues.

The patches for the zero-day flaws are available for devices going back to iPhone 11, iPad Pro 12.9-inch 3rd generation, iPad Pro 11-inch 1st generation, iPad Air 3rd generation, iPad 8th generation, and iPad mini 5th generation.

Apple gave little extra detail about the zero-day flaws, saying it "doesn't disclose, discuss or confirm security issues". However, the tech giant issued a patch for the bugs alongside a set of other security issues that included further fixes for WebKit, the ScreenTime tool and more.

Google patches flaws

Google revealed its flaw via an update to the Stable Channel for the desktop version of its Chrome browser, crediting the discovery of CVE-2025-14174 to the Google Threat Analysis Group as well as Apple Security Engineering and Architecture.

Google had initially patched the flaw last week without any details beyond a "high" rating, but has now filled in a few details.

That flaw, labelled as a high-risk vulnerability, was first spotted December 5 and is caused by out-of-bounds memory access in Chrome's Almost Native Graphics Layer Engine (ANGLE), which is also used by WebKit, hence the impact on Apple.

"Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page," said the CVE.org support page for the flaw.

"Google is aware that an exploit for CVE-2025-14174 exists in the wild," Google added in a blog post.

The company also patched two other medium-level flaws in the stable channel at the same time.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.