Apple disclosed the vulnerability in a security advisory, stating it was aware of a report that the issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.
The flaw resides in a core system component called `dyld`, Apple’s Dynamic Link Editor, which is responsible for loading applications and software libraries.
The vulnerability is described as a memory corruption issue. According to the company, an attacker with memory write capabilities could exploit this flaw to execute arbitrary code. This would allow a malicious actor to bypass standard security restrictions and potentially gain deep system-level control over an affected device. As is standard practice for actively exploited vulnerabilities, Apple has not released detailed technical information to prevent wider abuse before users can install the patches.
Vulnerabilities in a low-level component like `dyld` are considered particularly severe because they operate at a fundamental stage of application execution. This can give an attacker an early foothold before other security mechanisms are fully engaged. Apple’s description of the exploit as extremely sophisticated
suggests the attack required significant resources and expertise, a characteristic often associated with state-sponsored threat actors or commercial spyware vendors.
Apple also revealed that this new vulnerability was exploited as part of an attack chain that included two previously patched flaws from :
- CVE-2025-14174: An out-of-bounds memory access issue in the ANGLE graphics engine component.
- CVE-2025-43529: A use-after-free vulnerability that could be triggered by processing malicious web content.
The company indicated all three vulnerabilities were leveraged in the same campaign, highlighting the multi-stage nature of modern targeted attacks.
The patches were released to protect users from an ongoing, targeted surveillance campaign. While Apple did not attribute the attack to a specific group, the tactics are consistent with past zero-day exploits used for espionage. Such campaigns typically focus on high-value targets like journalists, activists, and government officials to gather intelligence by compromising their personal devices. The source of the attack and its ultimate goals remain undisclosed.
Key details about the exploit campaign have not been made public. Apple has not identified the threat actor behind the attacks or specified which regions or individuals were targeted. The full technical methodology of the exploit chain remains confidential to prevent copycat attacks. The total number of individuals affected by this sophisticated campaign is also unknown.
CVE-2026-20700 is the first actively exploited zero-day vulnerability Apple has patched in 2026, following seven such patches in 2025. This incident underscores a persistent trend of attackers focusing on mobile and personal computing devices as primary targets for intelligence gathering. Security researchers will likely analyze the patches to better understand the vulnerability, and more details may emerge as the threat is investigated further. For Apple, the focus will be on ensuring widespread adoption of the security updates across its ecosystem.
Apple advises all users to update their devices immediately to protect themselves. Even though the company stated the attack was highly targeted, the vulnerability could potentially be repurposed by other attackers. Enterprise administrators should also ensure that all managed devices within their organization are updated.
The patches are available in the following software versions:
- iOS 18.7.5
- iPadOS 18.7.5
- macOS Tahoe 26.3
- tvOS 26.3
- watchOS 26.3
- visionOS 26.3
Users can install the updates by navigating to the Software Update section in their device’s settings. For iPhones and iPads, this is located under Settings → General → Software Update.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
