Apple dyld Zero-Day (CVE-2026-20700) Added to CISA KEV After Targeted Exploitation
Apple disclosed and patched CVE-2026-20700, a zero-day affecting dyld (Apple’s Dynamic Link Editor) across multiple operating systems (iOS, iPadOS, macOS, tvOS, watchOS, and visionOS). Apple said the issue was exploited in “extremely sophisticated” attacks targeting specific individuals and described the flaw as enabling arbitrary code execution when an attacker already has memory-write capability, indicating use in advanced exploit chains rather than opportunistic mass exploitation.
CISA added CVE-2026-20700 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation and set a remediation due date of 2026-03-05 for U.S. federal civilian agencies under BOD 22-01, while urging all organizations to prioritize patching. The same CISA KEV update also added three other actively exploited vulnerabilities—CVE-2024-43468 (Microsoft Configuration Manager SQL injection), CVE-2025-15556 (Notepad++ WinGUp updater integrity-check weakness), and CVE-2025-40536 (SolarWinds Web Help Desk security control bypass)—but those are separate issues from the Apple dyld zero-day.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA republishes KEV data with Apple CVE-2026-20700 entry details
A subsequent KEV data update published detailed entry information for CVE-2026-20700, including affected Apple platforms, CWE-119 classification, vendor references, and mitigation guidance. The entry described the flaw as a buffer overflow that could enable arbitrary code execution if an attacker has memory-write capability.
CISA KEV catalog update raises total listed vulnerabilities to 1,516
A CISA KEV data update changed the catalog version from 2026.02.11 to 2026.02.12 and increased the total vulnerability count from 1,513 to 1,516. The update reflected the newly added exploited vulnerabilities and set remediation due dates including 2026-03-05 for several entries.
CISA adds four actively exploited vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation: CVE-2026-20700 affecting Apple products, CVE-2024-43468 affecting Microsoft Configuration Manager, CVE-2025-15556 affecting Notepad++ WinGUp, and a SolarWinds Web Help Desk flaw. CISA directed federal agencies to remediate them by the specified due dates under BOD 22-01 and urged all organizations to prioritize patching.
Apple releases patches for exploited zero-day CVE-2026-20700
Apple released security updates for CVE-2026-20700, a dyld buffer overflow affecting multiple Apple operating systems that could allow arbitrary code execution when an attacker has memory-write capability. Apple said the flaw had been exploited in extremely sophisticated targeted attacks against specific individuals and linked it to the same incidents as two previously patched vulnerabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Add Updated KEV Files for 2026-02-14 · cisagov/kev-data@ebc6254 · GitHub
github.com
Open sourceCritical Apple Flaw Exploited in ‘Sophisticated’ Attacks, Company Urges Rapid Patching
techrepublic.com
Open sourceAdd Updated KEV Files for 2026-02-12 · cisagov/kev-data@a05243b · GitHub
github.com
Open sourceCISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceAdd Updated KEV Files for 2026-02-12 · cisagov/kev-data@6a13373 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
Mar 21, 2026
Apple Zero-Day CVE-2026-20700 Patched Across iOS, macOS, and Other Platforms
Apple released security updates for **CVE-2026-20700**, a **zero-day** in `dyld` (the Dynamic Link Editor) that can enable **arbitrary code execution** when an attacker already has a memory-write capability. Apple said it is aware the issue “may have been exploited” in **extremely sophisticated, targeted attacks** against specific individuals, and credited **Google Threat Analysis Group (TAG)** with discovery. Apple also linked the same incident reporting to two earlier vulnerabilities (**CVE-2025-14174** and **CVE-2025-43529**) that were previously addressed. The fixes were shipped across Apple’s ecosystem, including **iOS/iPadOS**, **macOS** (including *macOS Tahoe*), **tvOS**, **watchOS**, and **visionOS**; impacted device families include iPhone 11 and later and multiple iPad generations, as well as Macs running *macOS Tahoe*. Canadian Centre for Cyber Security guidance echoed Apple’s warning of potential exploitation and urged rapid patching (e.g., **iOS/iPadOS 18.7.5** and **26.3** releases for newer OS lines). Other vendor advisories published in the same period (HPE, Chrome, Intel, Fortinet, Siemens, Dell, CISA ICS, IBM, Red Hat) are unrelated to the Apple zero-day and reflect routine multi-vendor patch activity rather than the specific exploitation event.
Mar 21, 2026
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
Mar 21, 2026