Apple released iOS 26.3 and iPadOS 26.3 on February 11, 2026, patching over 40 vulnerabilities, including a critical zero-day in the dyld component actively exploited in targeted attacks.
The update addresses CVE-2026-20700, a memory-corruption flaw discovered by Google’s Threat Analysis Group, which enables arbitrary code execution for attackers with memory-write access.
Dyld, Apple’s Dynamic Link Editor, handles loading and linking of dynamic libraries across iOS, macOS, and other platforms. This flaw (CVE-2026-20700) stems from improper state management, allowing memory corruption that leads to code execution.
Apple notes it was part of “an extremely sophisticated attack against specific targeted individuals” on iOS versions before 26, linking it to prior fixes CVE-2025-14174 and CVE-2025-43529 from December 2025.
The attack chain likely begins with initial access possibly via phishing or zero-click exploits gaining memory write privileges before leveraging dyld for persistence or escalation.
Targeted victims include high-profile individuals like journalists or activists, consistent with nation-state spyware campaigns such as Pegasus or those attributed to Google’s reports. No public proof-of-concept exists, but Apple’s rapid patching underscores the threat’s severity.
Apple 0-Day Vulnerability Exploited
Exploitation requires prior compromise, perhaps through WebKit rendering or kernel bugs also patched in this update. Once memory write is achieved, attackers corrupt dyld’s state during library loading, hijacking control flow to execute shellcode.
This bypasses mitigations like Pointer Authentication Codes (PAC) or KASLR if chained cleverly, potentially installing persistent spyware for data exfiltration.
Apple fixed it with “improved state management,” likely enhancing validation in dyld’s memory allocation and linking phases. Affected devices span iPhone 11+, recent iPad Pros, Airs, and minis billions at risk if unpatched.
iOS 26.3 patches 37+ issues across Accessibility (lock screen leaks), Kernel (root escalation), WebKit (DoS/crashes), and Sandbox (breakouts). Notable: CoreServices race conditions for root (CVE-2026-20617/20615), Photos lock screen access (CVE-2026-20642). Credits go to researchers like Jacob Prezant, Trend Micro ZDI, and anonymous finders.
This marks Apple’s first 2026 zero-day fix, following seven in 2025, signaling persistent advanced threats. While targeted, public disclosure risks wider abuse; mass-market spyware remains unlikely without remote entry.
Users should update immediately via Settings > General > Software Update—automatic installs are enabled by default. Enterprises: enforce MDM policies, monitor for anomalies via Apple Unified Logging.
Disable unnecessary features like iPhone Mirroring (patched UI issue CVE-2026-20640). Cybersecurity pros: analyze dyld for similar flaws; watch CISA KEV catalog for mandates.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Apple 0-Day Vulnerability Actively Exploited in Sophisticated Attack to Target Individuals appeared first on Cyber Security News.
