Apple Patches Everything: December 2025 Edition
Never release on a Friday. Unless you are Apple :) Apple released updates for all of its operating systems today. These updates were expected for this week, a second release candidate being released on Monday made me think that they may wait a week to push the final product. This is a "step update" for the operating systems, including various small feature updates. Across Apple's operating systems, the update fixes a total of 48 vulnerabilities. Two of the vulnerabilities are already actively exploited in targeted attacks.
Both exploited vulnerabilities affect WebKit and, with that, are exploitable by visiting a malicious webpage. WebKit is used by various software that displays HTML pages, not just Safari. The first vulnerability, CVE-2025-14174, is a use-after-free vulnerability. The second issue, CVE-2025-43529, allows for memory corruption. Apple does not state it in their brief advisories, but both issues can likely be used to execute arbitrary code. It is not clear if the vulnerabilities will also lead to sandbox escape.
In addition to the patches for the operating system, Apple also fixed its video processing tool "Compressor". The patched vulnerability allows for remote code execution by an attacker on the local network. Compressor is an add-on software that is not included in the OS install. I doubt many users aside from video editors have it installed.
| iOS 26.2 and iPadOS 26.2 | iOS 18.7.3 and iPadOS 18.7.3 | macOS Tahoe 26.2 | macOS Sequoia 15.7.3 | macOS Sonoma 14.8.3 | tvOS 26.2 | watchOS 26.2 | visionOS 26.2 |
|---|---|---|---|---|---|---|---|
| CVE-2024-8906: A download's origin may be incorrectly associated. Affects Safari Downloads |
|||||||
| x | |||||||
| CVE-2025-14174: Processing maliciously crafted web content may lead to memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-43529 was also issued in response to this report.. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43320: An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges. Affects AppleMobileFileIntegrity |
|||||||
| x | |||||||
| CVE-2025-43410: An attacker with physical access may be able to view deleted notes. Affects Notes |
|||||||
| x | |||||||
| CVE-2025-43416: An app may be able to access protected user data. Affects sudo |
|||||||
| x | x | x | |||||
| CVE-2025-43428: Photos in the Hidden Photos Album may be viewed without authentication. Affects Photos |
|||||||
| x | x | x | |||||
| CVE-2025-43463: An app may be able to access sensitive user data. Affects StorageKit |
|||||||
| x | x | ||||||
| CVE-2025-43475: An app may be able to access user-sensitive data. Affects MediaExperience |
|||||||
| x | |||||||
| CVE-2025-43482: An app may be able to cause a denial-of-service. Affects Audio |
|||||||
| x | x | x | |||||
| CVE-2025-43501: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | x | x | x | ||||
| CVE-2025-43509: An app may be able to access sensitive user data. Affects Networking |
|||||||
| x | x | x | |||||
| CVE-2025-43511: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit Web Inspector |
|||||||
| x | x | x | x | ||||
| CVE-2025-43512: An app may be able to elevate privileges. Affects Kernel |
|||||||
| x | x | x | x | ||||
| CVE-2025-43513: An app may be able to read sensitive location information. Affects MDM Configuration Tools |
|||||||
| x | x | x | |||||
| CVE-2025-43514: An app may be able to access protected user data. Affects Siri |
|||||||
| x | |||||||
| CVE-2025-43516: A user with Voice Control enabled may be able to transcribe another user's activity. Affects Voice Control |
|||||||
| x | x | x | |||||
| CVE-2025-43517: An app may be able to access protected user data. Affects Call History |
|||||||
| x | x | x | |||||
| CVE-2025-43518: An app may be able to inappropriately access files through the spellcheck API. Affects Foundation |
|||||||
| x | x | x | x | x | |||
| CVE-2025-43519: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity |
|||||||
| x | x | x | |||||
| CVE-2025-43521: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity |
|||||||
| x | x | ||||||
| CVE-2025-43522: An app may be able to access user-sensitive data. Affects AppleMobileFileIntegrity |
|||||||
| x | x | ||||||
| CVE-2025-43523: An app may be able to access sensitive user data. Affects AppleMobileFileIntegrity |
|||||||
| x | |||||||
| CVE-2025-43526: On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted. Affects Safari |
|||||||
| x | |||||||
| CVE-2025-43527: An app may be able to gain root privileges. Affects StorageKit |
|||||||
| x | x | ||||||
| CVE-2025-43529: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report.. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43530: An app may be able to access sensitive user data. Affects Settings |
|||||||
| x | x | x | x | ||||
| CVE-2025-43531: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43532: Processing malicious data may lead to unexpected app termination. Affects Foundation |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2025-43533: A malicious HID device may cause an unexpected process crash. Affects Multi-Touch |
|||||||
| x | x | x | x | x | |||
| CVE-2025-43535: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | x | x | x | ||||
| CVE-2025-43536: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit |
|||||||
| x | x | x | |||||
| CVE-2025-43538: An app may be able to access sensitive user data. Affects Screen Time |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-43539: Processing a file may lead to memory corruption. Affects AppleJPEG |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2025-43541: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit |
|||||||
| x | x | x | x | ||||
| CVE-2025-43542: Password fields may be unintentionally revealed when remotely controlling a device over FaceTime. Affects FaceTime |
|||||||
| x | x | x | x | x | |||
| CVE-2025-46276: An app may be able to access sensitive user data. Affects Messages |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2025-46277: An app may be able to access a user's Safari history. Affects Screen Time |
|||||||
| x | x | x | |||||
| CVE-2025-46278: An app may be able to access protected user data. Affects Game Center |
|||||||
| x | |||||||
| CVE-2025-46279: An app may be able to identify what other apps a user has installed. Affects Icons |
|||||||
| x | x | x | x | x | x | ||
| CVE-2025-46281: An app may be able to break out of its sandbox. Affects File Bookmark |
|||||||
| x | |||||||
| CVE-2025-46282: An app may be able to access sensitive user data. Affects WebKit |
|||||||
| x | |||||||
| CVE-2025-46283: An app may be able to access sensitive user data. Affects CoreServices |
|||||||
| x | |||||||
| CVE-2025-46285: An app may be able to gain root privileges. Affects Kernel |
|||||||
| x | x | x | x | x | x | x | x |
| CVE-2025-46287: An attacker may be able to spoof their FaceTime caller ID. Affects Calling Framework |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2025-46288: An app may be able to access sensitive payment tokens. Affects App Store |
|||||||
| x | x | x | x | ||||
| CVE-2025-46289: An app may be able to access protected user data. Affects AppSandbox |
|||||||
| x | x | x | |||||
| CVE-2025-46291: An app may bypass Gatekeeper checks. Affects LaunchServices |
|||||||
| x | |||||||
| CVE-2025-46292: An app may be able to access user-sensitive data. Affects Telephony |
|||||||
| x | x | ||||||
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
My next class:
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
×
![modal content]()
Diary Archives
Comments