Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an actively exploited zero-day tracked as CVE-2026-20700, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to iOS 26. The flaw affects dyld (Apple’s dynamic linker) and can allow arbitrary code execution when an attacker already has memory write capability; reporting attributes discovery to Google’s Threat Analysis Group and notes it may have been used as part of an exploit chain.
Apple shipped fixes across its ecosystem, including iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3. The same reporting indicates Apple also issued patches tied to the broader report for CVE-2025-14174 (an out-of-bounds memory access issue in Chrome’s ANGLE graphics component on Mac) and CVE-2025-43529 (a use-after-free leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by patch deployment speed—particularly where updates rely on end users rather than enforced device management.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-20700 to the KEV catalog
After Apple's disclosure, CISA added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog. CyberScoop described it as the first Apple issue CISA flagged as actively exploited in 2026.
Apple links two previously disclosed bugs to the same report
In the same disclosure cycle, Apple also referenced CVE-2025-14174 and CVE-2025-43529 as having been addressed in response to the same report tied to CVE-2026-20700. Reporting noted these additional memory-safety flaws may have been part of a broader exploit chain, though Apple did not fully explain the relationship.
Apple patches CVE-2026-20700 and warns of targeted in-the-wild exploitation
On 2026-02-11, Apple released security updates including iOS/iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3 to fix CVE-2026-20700. Apple said the flaw may have been used in an 'extremely sophisticated' attack against specific targeted individuals and that it could allow arbitrary code execution when an attacker already has memory write capability.
Google discovers Apple dyld zero-day CVE-2026-20700
Google's Threat Analysis Group/Threat Intelligence Group discovered a memory-corruption flaw in Apple's dyld component, tracked as CVE-2026-20700. Apple later credited Google with reporting the issue and said it affected iOS versions prior to iOS 26.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Apple discloses first actively exploited zero-day of 2026 | CyberScoop
cyberscoop.com
Open sourceApple fixes zero-day that exploited OS bug in open-source code | SC Media
scworld.com
Open sourceApple patches decade-old iOS zero-day exploited in the wild • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Zero-Day CVE-2026-20700 Patched Across iOS, macOS, and Other Platforms
Apple released security updates for **CVE-2026-20700**, a **zero-day** in `dyld` (the Dynamic Link Editor) that can enable **arbitrary code execution** when an attacker already has a memory-write capability. Apple said it is aware the issue “may have been exploited” in **extremely sophisticated, targeted attacks** against specific individuals, and credited **Google Threat Analysis Group (TAG)** with discovery. Apple also linked the same incident reporting to two earlier vulnerabilities (**CVE-2025-14174** and **CVE-2025-43529**) that were previously addressed. The fixes were shipped across Apple’s ecosystem, including **iOS/iPadOS**, **macOS** (including *macOS Tahoe*), **tvOS**, **watchOS**, and **visionOS**; impacted device families include iPhone 11 and later and multiple iPad generations, as well as Macs running *macOS Tahoe*. Canadian Centre for Cyber Security guidance echoed Apple’s warning of potential exploitation and urged rapid patching (e.g., **iOS/iPadOS 18.7.5** and **26.3** releases for newer OS lines). Other vendor advisories published in the same period (HPE, Chrome, Intel, Fortinet, Siemens, Dell, CISA ICS, IBM, Red Hat) are unrelated to the Apple zero-day and reflect routine multi-vendor patch activity rather than the specific exploitation event.
Mar 21, 2026
Apple dyld Zero-Day (CVE-2026-20700) Added to CISA KEV After Targeted Exploitation
Apple disclosed and patched **CVE-2026-20700**, a zero-day affecting `dyld` (Apple’s Dynamic Link Editor) across multiple operating systems (**iOS, iPadOS, macOS, tvOS, watchOS, and visionOS**). Apple said the issue was exploited in “**extremely sophisticated**” attacks targeting specific individuals and described the flaw as enabling **arbitrary code execution** when an attacker already has **memory-write capability**, indicating use in advanced exploit chains rather than opportunistic mass exploitation. CISA added **CVE-2026-20700** to the **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation and set a remediation due date of **2026-03-05** for U.S. federal civilian agencies under **BOD 22-01**, while urging all organizations to prioritize patching. The same CISA KEV update also added three other actively exploited vulnerabilities—**CVE-2024-43468** (Microsoft Configuration Manager SQL injection), **CVE-2025-15556** (Notepad++ WinGUp updater integrity-check weakness), and **CVE-2025-40536** (SolarWinds Web Help Desk security control bypass)—but those are separate issues from the Apple `dyld` zero-day.
Mar 21, 2026
Apple Security Updates Address Multiple Vulnerabilities Including an In-the-Wild Exploited Memory Corruption Flaw
Apple issued security updates across its ecosystem to address **multiple vulnerabilities** affecting *iOS, iPadOS, macOS, tvOS, watchOS,* and *visionOS*, with impacts including **remote code execution (RCE)**, denial of service, elevation of privilege, information disclosure, data manipulation, and security restriction bypass. HKCERT highlighted **CVE-2026-20700** as a **high-risk** issue and noted it is **being exploited in the wild**; the flaw is described as an **improper restriction of operations within the bounds of a memory buffer** that could allow arbitrary code execution when an attacker has memory-write capability. Apple’s iOS 26.3 and iPadOS 26.3 security content includes fixes for issues that could expose sensitive information on a locked device (e.g., **CVE-2026-20645** and **CVE-2026-20674**) and a Bluetooth-related denial-of-service condition where a privileged network attacker could trigger DoS using crafted packets (**CVE-2026-20650**). The updates apply to **iPhone 11 and later** and a range of supported iPad models, and Apple reiterated its policy of publishing details after patches are available.
May 12, 2026