Apple has released emergency security updates to fix CVE-2026-20700, a zero-day vulnerability affecting iOS, macOS, iPadOS, tvOS, watchOS, and visionOS.
The flaw, which carries a CVSS score of 7.8, was identified by Google Threat Analysis Group (TAG) and is being reportedly actively exploited in highly targeted attacks.
The vulnerability originates from a memory corruption issue in dyld, the Dynamic Link Editor responsible for loading application code, alongside system libraries. If successfully exploited, an attacker with memory write capabilities could execute arbitrary code on affected devices.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the iPhone maker said in its advisory. The activity reportedly targeted devices running versions of iOS prior to iOS 26.
Zero-Day Chain Suggests Advanced Targeted Operations
Apple linked CVE-2026-20700 to two additional vulnerabilities previously patched in December 2025: CVE-2025-14174 and CVE-2025-43529. The first involved an out-of-bounds memory access in ANGLE’s Metal renderer, while the second was a use-after-free issue in WebKit that could allow malicious web content to trigger code execution.
Security researchers note that chaining memory corruption issues and browser engine flaws are commonly seen tactics in advanced spyware campaigns. While Apple did not attribute the attacks, the disclosure pattern mirrors prior activity associated with commercial surveillance operations targeting high-value individuals.
The fixes are included in iOS 26.3, iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3. Apple also released updates for older platforms, including iOS 18.7.5, macOS Sequoia 15.7.4, and Safari 26.3.
Apple addressed nine actively exploited zero-days in 2025. This marks the company’s first confirmed zero-day patch of 2026. Security teams are advised to update affected devices across managed and bring-your-own-device environments.
