Apple has released iOS 26.3, iPadOS 26.3, and macOS Tahoe 26.3 to patch dozens of security flaws, including a newly disclosed zero-day vulnerability that the company says was exploited in “an extremely sophisticated attack” against targeted individuals.
The actively exploited bug affects the dynamic linker (dyld) component and impacts iPhone, iPad, and Mac systems.
The zero-day, tracked as CVE-2026-20700, was reported by Google’s Threat Analysis Group (TAG), the same team that previously uncovered two WebKit zero-days, CVE-2025-14174 and CVE-2025-43529, patched by Apple in December 2025. In its advisory, Apple confirms it is aware of a report that the dyld flaw may have been exploited in highly targeted attacks against specific individuals running versions of iOS prior to iOS 26. The issue stems from a memory corruption vulnerability that could allow an attacker with memory write capabilities to execute arbitrary code. Apple addressed the bug with improved state management in the dynamic loader.
Dyld is a critical low-level component responsible for loading and linking executable code and system libraries at runtime. Because it operates at a foundational level of the operating system, successful exploitation could allow attackers to bypass security boundaries and gain extensive control over a compromised device. Apple also notes that CVE-2025-14174 and CVE-2025-43529 were issued in response to the same investigation, suggesting the latest zero-day may be part of a broader exploit chain previously used in real-world attacks.
Beyond the zero-day, iOS 26.3 and macOS Tahoe 26.3 fix an extensive list of vulnerabilities affecting core components, including the kernel, WebKit, CoreServices, CFNetwork, Bluetooth, and Sandbox.
Several of the patched flaws could allow local privilege escalation. For example, multiple CoreServices issues (CVE-2026-20615 and CVE-2026-20617) could allow an app to gain root privileges due to race conditions and path validation problems. A kernel vulnerability (CVE-2026-20626) also enabled malicious apps to elevate privileges. Another kernel flaw (CVE-2026-20671) could allow attackers in a privileged network position to intercept traffic.
The update also addresses multiple sandbox escape vulnerabilities, including CVE-2026-20628 in the Sandbox component and CVE-2026-20667 in libxpc, both of which could allow apps to break out of their restricted environments. Such flaws are particularly valuable in chained attacks, where an initial code execution bug is followed by sandbox escape and privilege escalation steps.
WebKit, Apple’s browser engine used by Safari and all iOS browsers, received several fixes for memory handling and state management issues. These include CVE-2026-20652, CVE-2026-20608, CVE-2026-20644, CVE-2026-20636, and CVE-2026-20635, which could lead to denial-of-service conditions or unexpected process crashes when processing malicious web content. Another WebKit bug (CVE-2026-20676) could allow websites to track users through Safari web extensions.
Numerous privacy-impacting bugs were also patched. These include flaws allowing unauthorized access to sensitive user data via Spotlight, StoreKit, Siri, Photos, UIKit, and Accessibility features, as well as issues where attackers with physical access to locked devices could view sensitive information due to authorization or UI state management weaknesses.
Apple has not shared technical details about the in-the-wild exploitation of CVE-2026-20700, in line with its standard policy of limiting disclosure until users have had time to update.
Users are strongly advised to install the latest updates immediately. On iPhone and iPad, updates can be installed by navigating to Settings > General > Software Update. Mac users can update via System Settings > General > Software Update.
Leave a Reply