Home / Blog / CVE-2026-20700 Apple dyld Zero-Day
CVE-2026-20700 • Apple • Memory Corruption in dyld

Apple's dyld Zero-Day: Memory Corruption
Exploited in Sophisticated Targeted Attacks

February 2026 11 min read By Boney Warikozi
CVSS 7.8 High Code Execution iOS / macOS Targeted Attack Zero-Day
⚠ Actively Exploited — Patch All Apple Devices

Apple confirmed that CVE-2026-20700 "may have been exploited in an extremely sophisticated attack against specific targeted individuals." Update all Apple devices to iOS/iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, or visionOS 26.3. For older devices, update to iOS 18.7.5, macOS Sequoia 15.7.4, or macOS Sonoma 14.8.4.

Overview

On February 11, 2026, Apple issued an emergency security update across all of its major platforms to address CVE-2026-20700, a memory corruption vulnerability in dyld — the dynamic link editor (dynamic linker) that loads and links shared libraries at runtime on every Apple operating system. The flaw allows an attacker with memory-write capability to execute arbitrary code, potentially compromising the device at a deep system level.

This is Apple's first actively exploited zero-day of 2026, disclosed five days after Google's Threat Analysis Group (TAG) — one of the world's premier teams tracking nation-state and targeted attacker activity — reported the vulnerability to Apple. The discovery by Google TAG is a strong signal that this vulnerability was leveraged in a state-sponsored or highly sophisticated threat campaign targeting high-value individuals such as dissidents, journalists, executives, or government personnel.

CVE-2026-20700 does not stand alone. Apple's advisory confirms it was exploited as part of a chain involving two previously patched WebKit zero-days — CVE-2025-14174 and CVE-2025-43529 — both of which were addressed in December 2025 and were already known to be exploited in the wild. Together, these three vulnerabilities form a multi-stage exploit chain capable of progressing from JavaScript in a web browser to deep system code execution.

What Is dyld and Why Does It Matter?

dyld (the Dynamic Linker/Loader) is one of the most fundamental and privileged components in Apple's operating systems. When any process launches on iOS, macOS, watchOS, or tvOS, dyld is responsible for:

  • Loading the main executable and all of its shared library dependencies into memory
  • Resolving symbol addresses (function pointers) across those libraries
  • Running initialization routines before main() is even called
  • Enforcing certain security policies around library loading

Because dyld runs with elevated privileges and is called during every process launch, a vulnerability in it represents a critical foothold. An attacker able to exploit a dyld flaw gains the ability to corrupt the program's runtime environment from the ground up — before the application's own defenses can even initialize. This makes dyld an extremely high-value target for exploit chain developers.

Technical Details

Root Cause: Memory Corruption in the Dynamic Linker

Apple's advisory describes the vulnerability as a memory corruption issue within dyld. While Apple has not released a full technical write-up (consistent with its standard practice of withholding details until broad patch adoption), the nature of the flaw fits a class of vulnerabilities seen in dynamic linker implementations: heap corruption during library resolution, a type confusion during symbol binding, or an out-of-bounds write in the relocation processing pipeline.

The prerequisite for exploitation is that an attacker already has a memory write capability on the target device. This is precisely what the two chained WebKit vulnerabilities provide. CVE-2025-14174 (an out-of-bounds memory access in ANGLE's Metal renderer, CVSS 8.8) and CVE-2025-43529 (a WebKit use-after-free, CVSS 8.8) together grant the attacker controlled writes into the browser process's memory. The attacker then uses CVE-2026-20700 to escalate from browser process memory corruption to arbitrary code execution at a deeper system level via dyld.

🔍 The Three-Stage Attack Chain

The exploit chain recovered by Google TAG follows a familiar pattern for modern iOS/macOS compromise:

  1. Stage 1 — WebKit Initial Access (CVE-2025-14174 / CVE-2025-43529): Victim browses to or is redirected to a malicious webpage. The WebKit vulnerabilities grant controlled memory read/write within the browser's sandboxed renderer process.
  2. Stage 2 — Sandbox Escape via dyld (CVE-2026-20700): With memory write primitives established, the attacker triggers the dyld memory corruption to execute attacker-controlled code outside the browser sandbox, escalating to a less-restricted process context.
  3. Stage 3 — Persistence & Payload: Attacker establishes a foothold, deploys spyware or surveillance payload, and leverages the compromised device for data exfiltration, location tracking, or further pivoting.

Affected Platforms & Patch Versions

CVE-2026-20700 affects virtually every modern Apple device. The affected platforms and corresponding safe versions are:

  • iOS & iPadOS: Vulnerable on versions before iOS 26.3 / iPadOS 26.3 (newer devices) and iOS 18.7.5 / iPadOS 18.7.5 (older devices)
  • macOS Tahoe: Vulnerable prior to macOS Tahoe 26.3
  • macOS Sequoia: Vulnerable prior to macOS Sequoia 15.7.4
  • macOS Sonoma: Vulnerable prior to macOS Sonoma 14.8.4
  • watchOS: Vulnerable prior to watchOS 26.3
  • tvOS: Vulnerable prior to tvOS 26.3
  • visionOS: Vulnerable prior to visionOS 26.3
  • Safari: Safari 26.3 includes associated WebKit fixes
Verify macOS Patch Version
# Check current macOS version via Terminal:
sw_vers -productVersion

# Or check via System Settings:
# Apple Menu → System Settings → General → Software Update

# Safe versions:
# macOS Tahoe: >= 26.3
# macOS Sequoia: >= 15.7.4
# macOS Sonoma: >= 14.8.4

Threat Context: Who Is at Risk?

Apple's specific language — "extremely sophisticated attack against specific targeted individuals" — is a well-established indicator that the vulnerability was weaponized by a nation-state or advanced persistent threat (APT) actor operating within the surveillance or espionage space. This language has historically preceded disclosures later attributed to tools like Pegasus (NSO Group), PREDATOR (Cytrox), and similar commercial spyware vendors.

The involvement of Google's Threat Analysis Group as the discoverer reinforces this assessment. Google TAG specifically tracks campaigns by government-backed threat actors and commercial surveillance vendors. The exploitation of multiple chained zero-days (three CVEs across two Apple subsystems) is consistent with a highly resourced adversary maintaining a full exploit chain developed over months, not an opportunistic attacker.

High-risk individuals include: journalists investigating government corruption, human rights defenders, political opposition figures, business executives in sensitive industries, and government employees with access to sensitive information. However, given the historical broad deployment of iOS spyware, any Apple device user should treat this as urgent.

⚠ Lockdown Mode Recommendation for High-Risk Users

If you are a journalist, activist, lawyer, or government official who may be subject to targeted surveillance, enable Apple Lockdown Mode (Settings → Privacy & Security → Lockdown Mode). Lockdown Mode significantly hardens the attack surface of Apple devices against exploit chains of this type by disabling many of the features that such exploits rely on. It does not guarantee protection, but meaningfully raises the cost of exploitation.

Detection

Detecting exploitation of CVE-2026-20700 on a consumer device is extremely difficult. Sophisticated spyware of this caliber (comparable to Pegasus) is specifically designed to operate covertly, avoid system logs, and resist forensic analysis. The most reliable detection method for high-risk individuals is:

  • Mobile Threat Hunting via iMazing + MVT: Use Amnesty International's Mobile Verification Toolkit (MVT) with an iTunes backup or a forensic image of the device to scan for known indicators of compromise (IOCs) associated with commercial spyware campaigns. MVT maintains a regularly updated database of IOCs.
  • Network traffic anomalies: Unusual network connections to unfamiliar domains or IP addresses from system processes (visible in a network monitor like Little Snitch on macOS) may indicate malware C2 communication.
  • Unexpected device behavior: Rapidly draining battery, device running hot at idle, and unexplained data usage are anecdotal but sometimes reported indicators of background surveillance software activity.

Remediation

  • Apply all Apple software updates immediately. Go to Settings → General → Software Update on iOS/iPadOS and Apple Menu → System Settings → Software Update on macOS. Do not defer this update.
  • Enable automatic security response updates. Apple's Rapid Security Responses allow critical patches to be applied without a full OS update. Ensure this is enabled in Software Update settings.
  • Update all Apple devices in your household/organization. The vulnerability affects Apple Watch, Apple TV, and Vision Pro — not just iPhones and Macs. All devices need to be updated.
  • High-risk users: enable Lockdown Mode. See the info box above.
  • Enterprise MDM: Push the software update via your MDM (Jamf, Kandji, Mosyle, etc.) to all managed Apple devices. Flag devices that do not update within 24 hours.

Zero Trust Perspective

CVE-2026-20700 highlights the compounded risk of chained zero-day exploit chains targeting mobile endpoints. In a Zero Trust architecture, mobile devices are often implicitly trusted endpoints because they are enrolled in MDM and considered "managed." This vulnerability demonstrates that managed does not mean uncompromised.

  • Continuous device health verification: Zero Trust access platforms must continuously verify device security posture — not just at enrollment time. An MDM-enrolled iPhone that was compromised by a zero-day chain should not be granted access to corporate resources. Use EDR/MTD solutions on mobile (Crowdstrike Falcon for Mobile, Lookout, Zimperium) to provide real-time threat detection signals.
  • Minimize app and system permissions: The principle of least privilege applies to apps on mobile devices too. Unnecessary access to microphone, camera, location, and contacts in installed apps expands the value of a device compromise to an attacker.
  • Assume mobile is a hostile endpoint: Sensitive corporate actions — approving financial transactions, accessing source code, reviewing sensitive documents — should require strong authentication that a compromised mobile device cannot silently satisfy on behalf of an attacker.
  • WebKit is not just Safari: On iOS and iPadOS, all third-party browsers are required to use WebKit. This means WebKit vulnerabilities affect every browser on iPhone, not just Safari — Chrome for iOS, Firefox for iOS, and Edge for iOS are all equally exposed to WebKit bugs.