• Posted by: Eng. Donya Bino
• February 12, 2026

Apple Patches Actively Exploited dyld Zero-Day

Apple has released emergency security updates across its entire operating system lineup to patch a actively exploited zero-day vulnerability in the dyld (dynamic linker) component, tracked as CVE-2026-20700. The company confirmed the flaw—a memory corruption issue has been used in "extremely sophisticated" targeted attacks against specific individuals running older versions of iOS.

Google Threat Analysis Group (TAG) discovered and reported the bug, marking yet another instance of Google helping Apple close high-severity holes used in real-world espionage or mercenary spyware campaigns. Apple noted that the exploit was observed on iOS versions prior to iOS 26, and credited the same report with also prompting fixes for two earlier vulnerabilities: CVE-2025-14174 (out-of-bounds access in ANGLE's Metal renderer, CVSS 8.8) and CVE-2025-43529 (WebKit use-after-free, CVSS 8.8), both patched back in December 2025.

Successful exploitation of CVE-2026-20700 requires an attacker to already have the ability to write arbitrary memory on the device (a non-trivial prerequisite), after which they can achieve arbitrary code execution. Apple did not disclose the exact attack vector or the identity of the victims, but the language strongly suggests nation-state or commercial spyware involvement, consistent with past campaigns attributed to NSO Group, Candiru, or similar actors targeting journalists, activists, diplomats, or dissidents.

Affected & Updated Platforms
The primary fixes are in the .3 point releases for the latest OS branches:
1. iOS 26.3 & iPadOS 26.3 Supported devices: iPhone 11 and later, recent iPad Pro/Air/mini models (full list in advisory)
2. macOS Tahoe 26.3 All Macs running Tahoe
3. tvOS 26.3 Apple TV HD and 4K (all generations)
4. watchOS 26.3 Apple Watch Series 6 and later
5. visionOS 26.3 Apple Vision Pro (all models)

Apple also pushed security-only updates for older branches:
1. iOS 18.7.5 & iPadOS 18.7.5 (iPhone XS/XR/XS Max, iPad 7th gen)
2. macOS Sequoia 15.7.4
3. macOS Sonoma 14.8.4
4. Safari 26.3 (for Sonoma & Sequoia)

Context & Trends
This marks Apple's first confirmed in-the-wild zero-day patch of 2026. In 2025, there were nine identified exploited zero-day vulnerabilities addressed by the organization that were attributable to WebKit, Kernel, or dyld defects, and most were associated with very sophisticated spyware efforts; in addition, the frequency of defects related to dyld (the dynamic linker is considered a high-value target because it launches prior to application launch, using elevated privilege levels), illustrates just how deeply embedded these types of components continue to be in the computing environment, thus making them susceptible for exploitation by sophisticated attackers.

For the majority of users, the actual risk from this type of attack is very low unless you are a high-value target such as a journalist, politician, activist, or executive in an area deemed to be sensitive; however, all users should ensure to install these updates as a priority , particularly those using iOS/iPadOS devices where automatic updates may have been delayed.

Recommendations:
1. Updates can be installed by going to "Settings>General>Software Update" (for iOS/iPadOS) or "System Preferences>Software Update" (for macOS).
2. Devices managed by your organization should have these updates installed as soon as possible and monitored for abnormal activity until all devices have completed installations of updates in order to assist with remediation of the access.
3. It would be a good practice to enable Lockdown Mode for any high-value/high-risk devices to achieve additional hardening against more advanced types of attacks.

The level of transparency demonstrated by Apple (the specific threat of exploitation), provides additional motivation to prioritize the deployment of patches by identification; it also serves as an example of the common industry theme of multiple and persistent threats being targeted at the technology and most insecure of platforms despite being able to deploy a sufficient number of patches.

Source: The Hacker News