Apple revealed its first actively exploited zero-day vulnerability of 2026, tracked as CVE-2026-20700 (CVSS 7.8), a memory corruption issue in dyld — Apple’s Dynamic Link Editor — that could allow attackers to execute arbitrary code.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” the company said. Google Threat Analysis Group discovered and reported the bug.
Two additional CVEs were also issued in response to the same report: CVE-2025-14174 and CVE-2025-43529 (patched in December 2025), indicating the attacks used a chain of exploits targeting multiple vulnerabilities. The updates shipped across iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS.