Apple on Wednesday released emergency security updates to address a zero-day vulnerability in its core operating systems that security researchers believe was exploited in highly targeted cyberattacks. The flaw, designated CVE-2026-20700, impacts iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
The vulnerability was discovered and reported to Apple by Google’s Threat Analysis Group (TAG), according to a security advisory released by the company. Apple confirmed the vulnerability “may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”
CVE-2026-20700 is a memory corruption issue within dyld, Apple’s Dynamic Link Editor. Dyld is a critical system component responsible for loading and linking executable code and shared libraries when applications launch. According to Apple, successful exploitation could allow an attacker with memory write capabilities to execute arbitrary code on vulnerable devices, potentially granting them deep system-level control.
While Apple has not disclosed specific technical details of the exploit – a common practice to prevent wider exploitation before patches are deployed – security experts note that memory corruption vulnerabilities in dynamic loaders are particularly dangerous. They operate early in the application execution process, potentially bypassing other security mitigations.
Apple also revealed that CVE-2026-20700 was reportedly exploited in conjunction with two previously patched vulnerabilities: CVE-2025-14174, an out-of-bounds memory access issue in ANGLE’s Metal renderer component, and CVE-2025-43529, a use-after-free vulnerability in WebKit. Both of these were addressed in December 2025, and Apple indicated all three vulnerabilities were connected to the same incident or campaign.
The affected devices include iPhone 11 and later, iPad Pro models (12.9-inch 3rd generation and later, 11-inch 1st generation and later), iPad Air (3rd generation and later), iPad (8th generation and later), iPad mini (5th generation and later), and Macs running macOS Tahoe.
Patches are available in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20700 to its Known Exploited Vulnerabilities Catalog and urged users to patch the vulnerability before March 5, 2026.
Apple’s response, including the rapid release of patches and acknowledgement of active exploitation, reflects a growing industry trend toward faster vulnerability disclosure and coordinated response. The company has been steadily enhancing its security architecture with features like Lockdown Mode, Pointer Authentication Codes (PAC), and hardware-backed secure enclaves.
Despite these improvements, memory corruption vulnerabilities remain a significant challenge for complex operating systems. The discovery of this zero-day by Google TAG highlights the importance of collaboration between technology companies in identifying and mitigating advanced threats.
Apple advises all users to update their devices promptly through Settings → General → Software Update on iPhone and iPad, System Settings → General → Software Update on Mac, and corresponding update sections on Apple Watch, Apple TV, and Vision Pro. Security professionals recommend against delaying installation given the nature of the vulnerability.
CVE-2026-20700 marks Apple’s first confirmed zero-day patch of 2026, following a year in which the company addressed seven actively exploited vulnerabilities in 2025. The ongoing emergence of zero-day exploits underscores the escalating sophistication of cyber threats and the increasing focus on mobile devices as targets for espionage and surveillance.
