Apple fixes dangerous zero-day flaw affecting macOS, iOS and more - update now to avoid 'extremely sophisticated attack'

News
By published

The bug was used in an "extremely sophisticated attack"

A person holding an iPhone running iOS 26.
(Image credit: Apple)
  • Apple patches zero-day CVE-2026-20700 in Dynamic Link Editor (dyld)
  • Flaw enabled arbitrary code execution, used in sophisticated targeted attacks
  • Fixes released in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS updates

Apple has fixed its first zero-day vulnerability of 2026, a bug that has apparently been used in an “extremely sophisticated attack”.

In a security advisory, Apple said the Google Threat Analysis Group (GTAG) discovered a memory corruption issue in the Dynamic Link Editor (dyld), a system component that helps apps run, and when a person opens an app, the component loads the shared libraries it needs and connects everything together.

Dyld works in the background and is essential for running apps on Apple devices.

State-sponsored actors

Now, Apple says the bug, which allows malicious actors with memory write capability to execute arbitrary code on vulnerable devices, is tracked as CVE-2026-20700, and is given a severity score of 9.8/10 (critical), as per Tenable.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report."

There are two things that stand out in this advisory: that the bug was used in an extremely sophisticated attack against specific individuals, and that it was discovered by GTAG - a group that almost exclusively tracks state-sponsored threat actors.

This might mean that the targets were politicians, diplomats, CEOs of critical infrastructure organizations, or those working in defense, aerospace, or telecommunications sectors. Historically, these people are the first ones to be targeted with a zero-day on an Apple device.

Here is the full list of affected devices:

iPhone 11 and later

iPad Pro 12.9-inch (3rd generation and later)

iPad Pro 11-inch (1st generation and later)

iPad Air (3rd generation and later)

iPad (8th generation and later)

iPad mini (5th generation and later)

Mac devices running macOS Tahoe

The bug was fixed in iOS 18.7.5, iPadOS 18.7.5, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3, so make sure to patch as soon as possible.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.