Apple credited Google’s artificial intelligence cybersecurity agent Big Sleep with discovering five vulnerabilities in WebKit, the browser engine used by Safari, that could result in browser crashes or memory corruption if exploited.
The flaws are tracked as CVE-2025-43429 through CVE-2025-43434. CVE-2025-43429 is described as a buffer overflow that may cause an unexpected process crash and was addressed through improved bounds checking. CVE-2025-43430 is an unspecified issue that could also lead to a crash and was fixed with improved state management. CVE-2025-43431 and CVE-2025-43433 are reported as memory-corruption issues addressed through improved memory handling, and CVE-2025-43434 is a use-after-free that may lead to a Safari crash and was mitigated with improved state management.
Apple released patches on Monday as part of updates including iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, watchOS 26.1, visionOS 26.1 and Safari 26.1.
The iOS and iPadOS update is available for iPhone 11 and later and a range of iPad models, including iPad Pro 12.9-inch (3rd generation and later), iPad Pro 11-inch (1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later) and iPad mini (5th generation and later). macOS, tvOS, watchOS, visionOS and Safari updates are provided for the corresponding devices and platforms.
Big Sleep, formerly known as Project Naptime, is an AI agent developed in collaboration between DeepMind and Google Project Zero to enable automated vulnerability discovery. Earlier this year the framework identified a separate SQLite vulnerability tracked as CVE-2025-6965.
None of the vulnerabilities in Monday’s bulletins have been flagged as exploited in the wild. Users are advised to install the updates.