"Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices. Google Threat Analysis Group (TAG) has been credited with discovering and reporting the bug. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," the company said in an advisory. "CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.""
"It's worth noting that both CVE-2025-14174 and CVE-2025-43529 were addressed by Cupertino in December 2025, with the former first disclosed by Google as having been exploited in the wild. CVE-2025-14174 (CVSS score: 8.8) relates to an out-of-bounds memory access in ANGLE's Metal renderer component. Metal is a high-performance hardware-accelerated graphics and compute API developed by Apple. CVE-2025-43529 (CVSS score: 8.8), on the other hand, is a use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content."
Apple released updates across iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS to address CVE-2026-20700, a memory corruption flaw in dyld. Successful exploitation could allow an attacker with memory write capability to execute arbitrary code on affected devices. Google Threat Analysis Group discovered and reported the bug. Apple stated the issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS versions before iOS 26 and linked related fixes CVE-2025-14174 and CVE-2025-43529. The earlier CVEs were fixed in December 2025 and involve an out-of-bounds access in ANGLE's Metal renderer and a use-after-free in WebKit. Updates cover iPhone, iPad, Mac, Apple TV, Apple Watch, and Vision Pro models listed.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]