Apple dyld Zero-Day (CVE-2026-20700) Added to CISA KEV After Targeted Exploitation
Apple disclosed and patched CVE-2026-20700, a zero-day affecting dyld (Apple’s Dynamic Link Editor) across multiple operating systems (iOS, iPadOS, macOS, tvOS, watchOS, and visionOS). Apple said the issue was exploited in “extremely sophisticated” attacks targeting specific individuals and described the flaw as enabling arbitrary code execution when an attacker already has memory-write capability, indicating use in advanced exploit chains rather than opportunistic mass exploitation.
CISA added CVE-2026-20700 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation and set a remediation due date of 2026-03-05 for U.S. federal civilian agencies under BOD 22-01, while urging all organizations to prioritize patching. The same CISA KEV update also added three other actively exploited vulnerabilities—CVE-2024-43468 (Microsoft Configuration Manager SQL injection), CVE-2025-15556 (Notepad++ WinGUp updater integrity-check weakness), and CVE-2025-40536 (SolarWinds Web Help Desk security control bypass)—but those are separate issues from the Apple dyld zero-day.
Timeline
Feb 14, 2026
CISA republishes KEV data with Apple CVE-2026-20700 entry details
A subsequent KEV data update published detailed entry information for CVE-2026-20700, including affected Apple platforms, CWE-119 classification, vendor references, and mitigation guidance. The entry described the flaw as a buffer overflow that could enable arbitrary code execution if an attacker has memory-write capability.
Feb 12, 2026
CISA KEV catalog update raises total listed vulnerabilities to 1,516
A CISA KEV data update changed the catalog version from 2026.02.11 to 2026.02.12 and increased the total vulnerability count from 1,513 to 1,516. The update reflected the newly added exploited vulnerabilities and set remediation due dates including 2026-03-05 for several entries.
Feb 12, 2026
CISA adds four actively exploited vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation: CVE-2026-20700 affecting Apple products, CVE-2024-43468 affecting Microsoft Configuration Manager, CVE-2025-15556 affecting Notepad++ WinGUp, and a SolarWinds Web Help Desk flaw. CISA directed federal agencies to remediate them by the specified due dates under BOD 22-01 and urged all organizations to prioritize patching.
Feb 12, 2026
Apple releases patches for exploited zero-day CVE-2026-20700
Apple released security updates for CVE-2026-20700, a dyld buffer overflow affecting multiple Apple operating systems that could allow arbitrary code execution when an attacker has memory-write capability. Apple said the flaw had been exploited in extremely sophisticated targeted attacks against specific individuals and linked it to the same incidents as two previously patched vulnerabilities.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Apple Patches Actively Exploited dyld Zero-Day in iOS and Other Platforms
Apple released security updates to address an **actively exploited zero-day** tracked as **CVE-2026-20700**, warning it may have been used in an “extremely sophisticated” attack targeting specific individuals on versions of iOS prior to *iOS 26*. The flaw affects **`dyld` (Apple’s dynamic linker)** and can allow **arbitrary code execution** when an attacker already has **memory write** capability; reporting attributes discovery to **Google’s Threat Analysis Group** and notes it may have been used as part of an exploit chain. Apple shipped fixes across its ecosystem, including *iOS 26.3*, *iPadOS 26.3*, *macOS Tahoe 26.3*, *watchOS 26.3*, *tvOS 26.3*, and *visionOS 26.3*. The same reporting indicates Apple also issued patches tied to the broader report for **CVE-2025-14174** (an out-of-bounds memory access issue in Chrome’s **ANGLE** graphics component on Mac) and **CVE-2025-43529** (a **use-after-free** leading to code execution), and commentary from security practitioners emphasized that enterprise risk is driven by **patch deployment speed**—particularly where updates rely on end users rather than enforced device management.
1 months ago
Apple Zero-Day CVE-2026-20700 Patched Across iOS, macOS, and Other Platforms
Apple released security updates for **CVE-2026-20700**, a **zero-day** in `dyld` (the Dynamic Link Editor) that can enable **arbitrary code execution** when an attacker already has a memory-write capability. Apple said it is aware the issue “may have been exploited” in **extremely sophisticated, targeted attacks** against specific individuals, and credited **Google Threat Analysis Group (TAG)** with discovery. Apple also linked the same incident reporting to two earlier vulnerabilities (**CVE-2025-14174** and **CVE-2025-43529**) that were previously addressed. The fixes were shipped across Apple’s ecosystem, including **iOS/iPadOS**, **macOS** (including *macOS Tahoe*), **tvOS**, **watchOS**, and **visionOS**; impacted device families include iPhone 11 and later and multiple iPad generations, as well as Macs running *macOS Tahoe*. Canadian Centre for Cyber Security guidance echoed Apple’s warning of potential exploitation and urged rapid patching (e.g., **iOS/iPadOS 18.7.5** and **26.3** releases for newer OS lines). Other vendor advisories published in the same period (HPE, Chrome, Intel, Fortinet, Siemens, Dell, CISA ICS, IBM, Red Hat) are unrelated to the Apple zero-day and reflect routine multi-vendor patch activity rather than the specific exploitation event.
1 months ago
CISA Flags Actively Exploited Vulnerabilities in SolarWinds Web Help Desk and Major Platforms
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, triggering mandatory remediation timelines for U.S. federal civilian agencies. The newly listed issues include an actively exploited flaw in **SolarWinds Web Help Desk** (`CVE-2025-40536`) with an accelerated patch deadline, alongside additional KEV additions affecting **Apple** platforms (iOS, macOS, tvOS, watchOS, visionOS), **Microsoft** products, and **Notepad++**. Apple stated it was aware of reports the issue “may have been exploited in an extremely sophisticated attack against specific targeted individuals,” with **Google Threat Analysis Group** credited with discovery, underscoring continued targeting of high-value users via mobile/endpoint zero-days. Separate reporting highlighted the broader operational context driving these directives: **Microsoft’s February security update** addressed **59 vulnerabilities**, including **six zero-days under active exploitation**, reinforcing that exploit timelines are compressing and patching is increasingly a “defense sprint.” In parallel, CISA also moved to reduce systemic exposure at the perimeter by ordering agencies to **remove unsupported network edge devices** (e.g., firewalls/routers) within a year, reflecting concern that end-of-support infrastructure and rapidly weaponized vulnerabilities are converging into a persistent, high-impact federal risk.
1 months ago