Apple fixes zero-day flaw exploited in targeted attacks (CVE-2026-20700)
Apple has released fixes for a zero-day vulnerability (CVE-2026-20700) exploited in targeted attacks last year.
CVE-2026-20700 is a memory corruption issue in dyld, the Dynamic Link Editor component of Apple’s operating systems, and may allow attackers with memory write capability to execute arbitrary code.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” the company said.
“CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.”
CVE-2025-14174 and CVE-2025-43529 affected WebKit and, like CVE-2026-20700, were reported by Google Threat Analysis Group, a specialized security and intelligence team within Google that focuses on tracking, analyzing, and countering advanced cyber threats, especially those backed by governments.
Details about these attacks are still under wraps.
Fixes are available for the latest OS branches
The fix for CVE-2026-20700 has been provided to iPhone, iPad, Mac, Apple Watch, AppleTV and Apple Vision Pro users that run the most recent versions of the underlying operating systems:
Those running older OS branches – iOS 18.7.5 and iPadOS 18.7.5, macOS Sequoia 15.7.4 and macOS Sonoma 14.8.4 – must wait for the fix to be backported, which will hopefully be soon.
Despite the attacks having been described as targeted, all users should update their Apple devices as quickly as possible.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!