Skip to main content
Mallory

Apple Zero-Day CVE-2026-20700 Patched Across iOS, macOS, and Other Platforms

actively-exploited-vulnerabilityendpoint-software-vulnerabilitywidely-deployed-product-advisory
Updated March 21, 2026 at 02:34 PM3 sources
Share:
Apple Zero-Day CVE-2026-20700 Patched Across iOS, macOS, and Other Platforms

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

Apple released security updates for CVE-2026-20700, a zero-day in dyld (the Dynamic Link Editor) that can enable arbitrary code execution when an attacker already has a memory-write capability. Apple said it is aware the issue “may have been exploited” in extremely sophisticated, targeted attacks against specific individuals, and credited Google Threat Analysis Group (TAG) with discovery. Apple also linked the same incident reporting to two earlier vulnerabilities (CVE-2025-14174 and CVE-2025-43529) that were previously addressed.

The fixes were shipped across Apple’s ecosystem, including iOS/iPadOS, macOS (including macOS Tahoe), tvOS, watchOS, and visionOS; impacted device families include iPhone 11 and later and multiple iPad generations, as well as Macs running macOS Tahoe. Canadian Centre for Cyber Security guidance echoed Apple’s warning of potential exploitation and urged rapid patching (e.g., iOS/iPadOS 18.7.5 and 26.3 releases for newer OS lines). Other vendor advisories published in the same period (HPE, Chrome, Intel, Fortinet, Siemens, Dell, CISA ICS, IBM, Red Hat) are unrelated to the Apple zero-day and reflect routine multi-vendor patch activity rather than the specific exploitation event.

Timeline

  1. Feb 11, 2026

    Canadian Centre for Cyber Security issues Apple advisory

    The Canadian Centre for Cyber Security published advisory AV26-122 on February 11, 2026, summarizing Apple’s security updates and noting that CVE-2026-20700 may have been exploited in the wild. It urged users and administrators to review Apple’s guidance and apply the patches.

  2. Feb 11, 2026

    Apple releases broad February 2026 security updates

    On February 11, 2026, Apple released security updates across iOS, iPadOS, macOS, tvOS, watchOS, and visionOS, fixing numerous vulnerabilities affecting components such as WebKit, Kernel, Foundation, CFNetwork, Bluetooth, Wi‑Fi, and multiple apps and frameworks. The updates included fixes for denial-of-service, memory corruption, data exposure, sandbox escape, and privilege-escalation issues, including CVE-2026-20700.

  3. Feb 11, 2026

    Apple says CVE-2026-20700 was used in targeted attacks

    Apple stated it is aware of reports that CVE-2026-20700 may have been exploited in an 'extremely sophisticated' attack against specific targeted individuals on iOS versions prior to iOS 26. The company did not disclose technical details of the exploitation.

  4. Feb 11, 2026

    Google TAG discovers dyld zero-day CVE-2026-20700

    Google’s Threat Analysis Group identified CVE-2026-20700, an arbitrary code execution flaw in Apple’s dyld component. Apple later credited TAG for the discovery in its February 2026 security updates.

  5. Dec 1, 2025

    Apple fixes two vulnerabilities later linked to same attack chain

    Apple had previously patched CVE-2025-14174 and CVE-2025-43529 in December 2025. In its February 2026 advisories, Apple said CVE-2026-20700 was exploited in the same incidents as those two earlier flaws.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

Apple dyld user-mode PAC bypass memory corruption (CVE-2026-20700)Sensitive data exposure in macOS (fixed in macOS Tahoe 26.3) (CVE-2026-20647)Sensitive data exposure in Spotlight (macOS) (CVE-2026-20612)iOS/iPadOS VoiceOver lock-screen authorization bypass via state management (CVE-2026-20661)WebKit process crash on malicious web content (CVE-2026-20635)Sensitive information redaction issue in macOS Notification Center (macOS Tahoe < 26.3) (CVE-2026-20603)Installed-app enumeration privacy issue in Apple StoreKit (CVE-2026-20641)Sandbox escape in Apple libxpc (CVE-2026-20667) (CVE-2026-20667)Out-of-bounds access in Apple ImageIO media file processing (CVE-2025-43338)Memory corruption in Apple WindowServer (macOS) (CVE-2025-43402)Sensitive data exposure via logic issue in CoreServices (macOS Tahoe 26.2) (CVE-2025-46283)Out-of-bounds write in Apple Model I/O USD file parsing (CVE-2026-20616)Out-of-bounds read in Apple GPU Drivers (macOS) (CVE-2026-20620)Arbitrary File Write in Apple CFNetwork (CVE-2026-20660)Out-of-bounds access in Apple CoreAudio media file processing (CVE-2026-20611) (CVE-2026-20611)Protected system file deletion via state management flaw in macOS PackageKit (CVE-2025-46310)Authorization bypass in macOS Compression (state management) (CVE-2025-43403)macOS Tahoe Permissions Issue Allowing Access to Protected User Data (CVE-2026-20630) (CVE-2026-20630)Identifying information leak to Live Caller ID app extensions in iOS/iPadOS (Call History) (CVE-2026-20638)Protected user data access via permissions issue in macOS Foundation (macOS Tahoe < 26.3) (CVE-2026-20623)Sensitive data access via directory-path parsing in Apple Shortcuts (CVE-2026-20653)User tracking via Safari web extensions in WebKit (CVE-2026-20676)Sensitive data exposure via Spotlight app-state observability (CVE-2026-20680) (CVE-2026-20680)Root Privilege Escalation in macOS Remote Management (CVE-2026-20614)Sensitive data access via directory path parsing issue in macOS Admin Framework (CVE-2026-20669)Sandbox permissions issue leading to sandbox escape in Apple Sandbox (CVE-2026-20628)Lock-screen information disclosure via inconsistent UI state management in iOS/iPadOS Accessibility (CVE-2026-20645)iOS/iPadOS LaunchServices logging sanitization flaw enabling installed-app enumeration (CVE-2026-20663)macOS Security package validation issue leading to root privilege escalation (macOS Tahoe 26.3) (CVE-2026-20658)Local root privilege escalation in Setup Assistant via symlink handling (macOS Tahoe) (CVE-2026-20610)DoS in Apple Bluetooth via crafted packets (privileged network position) (CVE-2026-20650)Locked-device sensitive information disclosure in iOS/iPadOS Accessibility (CVE-2026-20674)macOS Tahoe Logging Redaction Issue Leaking Location Data (CVE-2026-20646)CVE-2026-20626Siri lock-screen authorization bypass via state management issue (macOS) (CVE-2026-20662)Apple Multi-Touch bounds-checking issue leading to process crash via malicious HID device (CVE-2025-46305) (CVE-2025-46305)WebKit remote denial-of-service via memory handling flaw (CVE-2026-20652)Sensitive data exposure via insufficient log redaction in macOS System Settings (CVE-2026-20619)Local Privilege Escalation to root in Apple CoreServices (race condition) (CVE-2026-20617)Contacts log redaction privacy leak in macOS Tahoe (Contacts) (CVE-2026-20681)

Organizations

Apple

Affected Products

VisionosMacos TahoeIosTvosIpadosWatchosMacos SonomaMacos SequoiaIos

Sources

ca ccs
Apple security advisory (AV26-122) - Canadian Centre for Cyber Security
February 11, 2026 at 09:35 PM
handlers diary full
Apple Patches Everything: February 2026 - SANS ISC
February 11, 2026 at 12:00 AM
bleeping computer
Apple fixes zero-day flaw used in 'extremely sophisticated' attacks
February 11, 2026 at 12:00 AM

Related Stories

Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms

Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms

Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.

1 months ago
Apple dyld Zero-Day (CVE-2026-20700) Added to CISA KEV After Targeted Exploitation

Apple dyld Zero-Day (CVE-2026-20700) Added to CISA KEV After Targeted Exploitation

Apple disclosed and patched **CVE-2026-20700**, a zero-day affecting `dyld` (Apple’s Dynamic Link Editor) across multiple operating systems (**iOS, iPadOS, macOS, tvOS, watchOS, and visionOS**). Apple said the issue was exploited in “**extremely sophisticated**” attacks targeting specific individuals and described the flaw as enabling **arbitrary code execution** when an attacker already has **memory-write capability**, indicating use in advanced exploit chains rather than opportunistic mass exploitation. CISA added **CVE-2026-20700** to the **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation and set a remediation due date of **2026-03-05** for U.S. federal civilian agencies under **BOD 22-01**, while urging all organizations to prioritize patching. The same CISA KEV update also added three other actively exploited vulnerabilities—**CVE-2024-43468** (Microsoft Configuration Manager SQL injection), **CVE-2025-15556** (Notepad++ WinGUp updater integrity-check weakness), and **CVE-2025-40536** (SolarWinds Web Help Desk security control bypass)—but those are separate issues from the Apple `dyld` zero-day.

1 months ago
Emergency Patches for Apple and Google Zero-Day Exploits in Targeted Attacks

Emergency Patches for Apple and Google Zero-Day Exploits in Targeted Attacks

Apple and Google released emergency security updates after discovering that zero-day vulnerabilities in their software were being actively exploited in highly targeted attacks. The campaign, attributed to nation-state actors and commercial spyware vendors, focused on high-value individuals rather than the general public. Apple addressed two critical WebKit vulnerabilities, CVE-2025-14174 and CVE-2025-43529, which were exploited in sophisticated attacks against iPhones, iPads, and Macs running iOS versions prior to 26. Google also patched a Chrome vulnerability discovered in collaboration with Apple’s security team and Google’s Threat Analysis Group, indicating a coordinated response to a broader espionage campaign. The Apple updates, released as iOS 26.2 and iPadOS 26.2, fixed the WebKit flaws that allowed arbitrary code execution and memory corruption through malicious web content. These vulnerabilities affected iPhone 11 and later models, as well as several iPad variants. In addition to the WebKit issues, Apple resolved over 30 other vulnerabilities across various components, including the Kernel and Screen Time. Both companies withheld detailed technical information, suggesting ongoing investigations into the attacks. The rapid deployment of these patches underscores the severity and sophistication of the threat, with both Apple and Google urging users to update their devices immediately.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.