Google and Apple have both issued urgent patches for zero-day vulnerabilities actively exploited in the wild, affecting their respective web browsers, Chrome and Safari. The vulnerabilities, tracked as CVE-2025-14174 and CVE-2025-43529, were both exploited before their official disclosures, highlighting the critical need for immediate attention from users and administrators.
CVE-2025-14174, affecting Google Chrome on Mac, involves out-of-bounds memory access in the ANGLE component. This flaw, with a CVSS score of 8.8, allows remote attackers to execute arbitrary code by tricking users into visiting a maliciously crafted HTML page. The vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog on December 12, 2025, and has been actively exploited in the wild, with multiple proof-of-concept exploits available.
Similarly, CVE-2025-43529 impacts Apple Safari and several other Apple products, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. This use-after-free vulnerability, also rated with a CVSS score of 8.8, can lead to arbitrary code execution when processing malicious web content. Apple addressed this issue with improved memory management, releasing updates for Safari 26.2 and other affected platforms. The vulnerability was added to the KEV catalog on December 15, 2025.
Both vulnerabilities have been categorized with a Stakeholder-Specific Vulnerability Categorization (SSVC) of "attend," indicating the need for immediate action. Users are urged to update their browsers and operating systems to the latest versions to mitigate potential risks. Security teams should prioritize these patches to protect against potential exploitation, given the active use of these vulnerabilities in the wild.
CSURFACE