Apple Security Updates Address Multiple Vulnerabilities Including an In-the-Wild Exploited Memory Corruption Flaw
Apple issued security updates across its ecosystem to address multiple vulnerabilities affecting iOS, iPadOS, macOS, tvOS, watchOS, and visionOS, with impacts including remote code execution (RCE), denial of service, elevation of privilege, information disclosure, data manipulation, and security restriction bypass. HKCERT highlighted CVE-2026-20700 as a high-risk issue and noted it is being exploited in the wild; the flaw is described as an improper restriction of operations within the bounds of a memory buffer that could allow arbitrary code execution when an attacker has memory-write capability.
Apple’s iOS 26.3 and iPadOS 26.3 security content includes fixes for issues that could expose sensitive information on a locked device (e.g., CVE-2026-20645 and CVE-2026-20674) and a Bluetooth-related denial-of-service condition where a privileged network attacker could trigger DoS using crafted packets (CVE-2026-20650). The updates apply to iPhone 11 and later and a range of supported iPad models, and Apple reiterated its policy of publishing details after patches are available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Apple patches macOS USD library flaw CVE-2026-28941
Apple released an update for CVE-2026-28941, an out-of-bounds read in the macOS USD library caused by improper validation of user-supplied data. ZDI said successful exploitation could disclose sensitive information with user interaction and noted the bug could be chained with other flaws; the issue was publicly disclosed as ZDI-26-315.
Apple patches macOS CoreSymbolication flaw CVE-2026-28918
Apple released an update to fix CVE-2026-28918, an out-of-bounds read in the CoreSymbolication framework on macOS caused by improper validation of user-supplied data. ZDI said the flaw could disclose sensitive information and potentially be chained with other bugs, and published coordinated advisory ZDI-26-311 on 2026-05-12.
HKCERT publishes bulletin on multiple Apple product vulnerabilities
HKCERT issued a security bulletin warning about multiple vulnerabilities affecting Apple products, reflecting and amplifying the vendor's February 2026 disclosures. The bulletin did not introduce a separate incident but documented the broader security impact for defenders.
Apple discloses targeted exploitation of CVE-2026-20627
In the iOS 26.3 and iPadOS 26.3 security advisory, Apple said it was aware of a report that CVE-2026-20627 may have been exploited in an "extremely sophisticated" targeted attack against specific individuals on iOS versions prior to iOS 26. Apple also said CVE-2025-14174 and CVE-2025-43529 were issued in response to that same report.
Apple releases iOS 26.3 and iPadOS 26.3 security updates
Apple published security updates for iPhone 11 and later and multiple iPad models, fixing numerous vulnerabilities affecting privacy, sandboxing, privilege escalation, memory safety, denial of service, and network security. The advisory also noted fixes for issues that could expose sensitive information on locked devices or enable arbitrary file writes, crashes, sandbox escape, or root privilege escalation.
Apple patches CVE-2024-27791 in multiple operating systems
Apple addressed CVE-2024-27791, a high-severity out-of-bounds write in Apple PMP Firmware via the ApplePMPv2 writeDashboard interface, affecting iOS, iPadOS, macOS Monterey, macOS Ventura, macOS Sonoma, and tvOS before the January 22, 2024 fixes. The flaw could let an app corrupt Power Management Processor shared memory and trigger PMP panics, Data Aborts, SError exceptions, and ApplePMGR panics; Apple credited Pan Zhenpeng of STAR Labs SG and said it fixed the issue with improved validation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
ZDI-26-311 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-315 | Zero Day Initiative
zerodayinitiative.com
Open sourceApple Products Multiple Vulnerabilities
hkcert.org
Open sourceAbout the security content of iOS 26.3 and iPadOS 26.3 - Apple Support
support.apple.com
Open source(CVE-2024-27791) Apple PMP Firmware Out-of-Bounds Write via ApplePMPv2 writeDashboard | STAR Labs
starlabs.sg
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
Mar 21, 2026
Apple Fixes Broad Set of iOS, macOS, and visionOS Vulnerabilities
Apple released a wide-ranging set of security updates across **iOS**, **iPadOS**, **macOS Tahoe**, **watchOS**, **tvOS**, **visionOS**, **Safari**, and **Xcode**, addressing more than 85 vulnerabilities across core components including the kernel, WebKit, AirPlay, Keychain, and open-source libraries. The updates fix issues that could enable traffic interception, kernel state disclosure, user fingerprinting, installed-app enumeration, Mail privacy bypasses, exposure of deleted Notes content, and crashes from out-of-bounds writes. Apple said it had no reports of in-the-wild exploitation for the vulnerabilities listed in the release notes, but urged users to update, with particular importance for older devices and managed macOS environments. Among the patched flaws is **`CVE-2024-27828`**, a high-severity memory-handling bug in **IOSurfaceRoot** that could let a local app trigger a kernel panic or execute arbitrary code with kernel privileges. STAR Labs said the issue stemmed from a reference count leak in `IOSurfaceRootUserClient::s_create_shared_event`, where repeated calls with crafted input could corrupt memory handling; the flaw affected iOS and iPadOS before 17.5, tvOS before 17.5, watchOS before 10.5, and visionOS before 1.2. Apple addressed the bug through improved memory handling, adding it to a broader pattern of fixes spanning both current and legacy Apple platforms.
May 25, 2026
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
Mar 21, 2026