The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical zero-day vulnerability in Apple WebKit, which is currently being exploited in cyberattacks. This vulnerability, identified as CVE-2025-43529, was added to the agency’s catalog of known exploited vulnerabilities on December 16, with a deadline set for January 5, 2026, for federal agencies to apply necessary patches.
Apple responded swiftly by releasing emergency security updates on December 12 to address two WebKit vulnerabilities that have been used in highly sophisticated attacks targeting specific individuals with older iOS versions. Described as a “use-after-free” flaw in WebKit’s memory management, this vulnerability allows attackers to execute arbitrary code via malicious web content without requiring user interaction. It affects a range of Apple platforms, including iOS, iPadOS, macOS, and others relying on WebKit for HTML rendering.
In a coordinated effort, Google also patched a related Chrome vulnerability, with both companies’ security teams working together to identify and resolve the memory corruption issue. The WebKit engine, integral to Safari, supports web browsing across Apple’s ecosystem, including iPhone, iPad, Mac, Apple Watch, Apple TV, and visionOS devices, as well as third-party applications using WebKit.
Apple has issued patches through updates such as iOS 26.2, iPadOS 26.2, macOS Tahoe 26.2, and more. Security experts caution that zero-day vulnerabilities pose significant risks, often linked to state-sponsored groups or commercial surveillance tools, and can quickly proliferate among threat actors once technical details are disclosed.
CISA’s directive mandates that federal agencies and contractors address known vulnerabilities within set deadlines, with the January 5 deadline specifically targeting CVE-2025-43529. Apple urges users to promptly update their devices via Settings > General > Software Update and to manually check for updates rather than relying solely on automatic updates in the initial days following the patch release.
