- Apple patches zero-day CVE-2026-20700 in Dynamic Link Editor (dyld)
- The flaw allowed the execution of arbitrary code, used in sophisticated targeted attacks
- Fixes released in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS updates
Apple has fixed its first zero-day vulnerability of 2026, a bug that has apparently been used in an “extremely sophisticated attack.”
In a security advisory, Apple said that the Google Threat Analysis Group (GTAG) discovered a memory corruption issue in the Dynamic Link Editor (dyld), a system component that helps apps run, and when a person opens an app, the component loads the shared libraries it needs and connects everything.
Dyld works in the background and is essential for running applications on Apple devices.
Now, Apple says the bug, which allows malicious actors with memory write capabilities to execute arbitrary code on vulnerable devices, is tracked as CVE-2026-20700 and assigned a severity score of 9.8/10 (critical), according to Tenable.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against targeted individuals on iOS versions prior to iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.”
There are two things that stand out in this advisory: that the bug was used in an extremely sophisticated attack against targeted individuals, and that it was discovered by GTAG, a group that almost exclusively tracks state-sponsored threat actors.
This could mean that the targets were politicians, diplomats, CEOs of critical infrastructure organisations, or those working in the defence, aerospace or telecommunications sectors. Historically, these people are the first to have a zero day applied to an Apple device.
Here is the full list of affected devices:
iPhone 11 and later
12.9-inch iPad Pro (3rd generation and later)
11-inch iPad Pro (1st generation and later)
iPad Air (3rd generation and later)
iPad (8th generation and later)
iPad mini (5th generation and later)
Mac devices running macOS Tahoe
The bug has been fixed in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3, so be sure to apply the patch as soon as possible.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
