Preface: This article is scheduled for release on January 21, 2026. It may contain some key topics that will be helpful to developers. Therefore it release today.
The “spyware” mentioned in April 2025 was the Apple Company policy, but the attacks reported in January 2026 are live threats using newer exploits (CVE-2025-43529 and CVE-2025-14174). If you have not updated to iOS 26.2 or newer, your device is at high risk from these “extremely sophisticated” attacks.
Background:
ANGLE on iOS: Chrome on iOS uses WebKit as its rendering engine (due to Apple’s App Store policy), and ANGLE is integrated for WebGL translation.
WebKit Zero-Day Exploits: If attackers exploit WebKit vulnerabilities (like CVE-2025-43529) and combine them with ANGLE flaws (CVE-2025-14174), they can potentially achieve remote code execution or device compromise.
Shared Components: Safari and Chrome on iOS both rely on WebKit, so any ANGLE-related bug in WebKit’s GPU pipeline could propagate to iOS.
Cyber security focus – CVE-2025-43529
When the JIT compiler requests executable memory via jit_heap and writes machine code, bmalloc/libpas allocates memory regions. If an object or memory block is freed prematurely and then accessed, that’s where UAF occurs. Complex DOM/JS operations or JIT optimizations often trigger these conditions.
The CVE-2025-43529 is tied to a use-after-free in WebKit’s internal memory management (bmalloc/libpas) during complex DOM/JS operations.
Cyber security focus – CVE-2025-14174
A security issue was found in ANGLE regarding gl.deleteTexture().
- Asynchronous Release Bottlenecks: A known behavior is that calling gl.deleteTexture() does not immediately free memory if the GPU is still processing draw calls that reference that texture. Memory is only reclaimed after the GPU finished execution.
- Shader Translation Memory Retention: A discovered bug in ANGLE’s PoolAllocator revealed that it often moves single-page allocations to a free list rather than returning them to the OS, causing memory used during shader translation to persist until the compiler instance is destroyed.
The following detailed information explains the relationship between ANGLE and different web browsers.
-Google Chrome Full Support (v1.0 & v2.0) Uses ANGLE
-Mozilla Firefox Full Support (v1.0 & v2.0) Uses ANGLE (on Windows) or own implementation
-Apple Safari Full Support (v1.0 & v2.0) Uses ANGLE (since v15+)
-Microsoft Edge Full Support (v1.0 & v2.0) Uses ANGLE (Chromium-based)
These vulnerabilities were actively exploited in the wild, often in spyware campaigns targeting high-profile individuals.
Even if you’re not a high-risk target, updating was critical because these flaws allow remote code execution via a crafted webpage.
For more details on these matters, please see the link.