Apple released iOS 26.3 and iPadOS 26.3 on February 11, 2026, patching over 40 vulnerabilities, including a critical zero-day in the dyld component actively exploited in targeted attacks.
The update addresses CVE-2026-20700, a memory-corruption flaw discovered by Google’s Threat Analysis Group, which enables arbitrary code execution for attackers with memory-write access.
Dyld, Apple’s Dynamic Link Editor, handles loading and linking of dynamic libraries across iOS, macOS, and other platforms. This flaw (CVE-2026-20700) stems from improper state management, allowing memory corruption that leads to code execution.
Apple notes it was part of “an extremely sophisticated attack against specific targeted individuals” on iOS versions before 26, linking it to prior fixes CVE-2025-14174 and CVE-2025-43529 from December 2025.
The attack chain likely begins with initial access possibly via phishing or zero-click exploits gaining memory write privileges before leveraging dyld for persistence or escalation.
Targeted victims include high-profile individuals like journalists or activists, consistent with nation-state spyware campaigns such as Pegasus or those attributed to Google’s reports. No public proof-of-concept exists, but Apple’s rapid patching underscores the threat’s severity.
Apple 0-Day Vulnerability Exploited
Exploitation requires prior compromise, perhaps through WebKit rendering or kernel bugs also patched in this update. Once memory write is achieved, attackers corrupt dyld’s state during library loading, hijacking control flow to execute shellcode.
This bypasses mitigations like Pointer Authentication Codes (PAC) or KASLR if chained cleverly, potentially installing persistent spyware for data exfiltration.
Apple fixed it with “improved state management,” likely enhancing validation in dyld’s memory allocation and linking phases. Affected devices span iPhone 11+, recent iPad Pros, Airs, and minis billions at risk if unpatched.
Source: Cybersecurity News