Apple on Wednesday rolled out fixes for iOS and macOS systems to resolve a zero-day vulnerability that has been exploited in the wild.
Tracked as CVE-2026-20700, the zero-day flaw is described as a memory corruption issue that could be exploited for arbitrary code execution.
It affects dyld (Dynamic Link Editor), the system component responsible for loading dynamic libraries into memory and which acts as a connector between application code and system frameworks.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” Apple noted in its advisory.
The tech giant also noted that the flaw’s exploitation is linked to attacks involving CVE-2025-14174 and CVE-2025-43529, two zero-days patched in WebKit in December 2025.
A week before Apple’s patches, Google rolled out Chrome fixes for CVE-2025-14174, although the issue did not yet have a CVE identifier.
The three zero-day bugs were identified by Apple’s security team and Google’s Threat Analysis Group and their descriptions suggest that they might have been exploited by commercial spyware vendors.
On Wednesday, Apple announced that patches for CVE-2026-20700 have been included in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3, and visionOS 26.3.
The iOS and iPadOS security updates resolve nearly 40 vulnerabilities, while the macOS Tahoe refresh fixes over 50 security defects.
The bugs could be exploited for information exposure, denial-of-service (DoS), arbitrary file write, privilege escalation, network traffic interception, sandbox escape, and code execution.
For older device models, Apple released iOS 18.7.5 and iPadOS 18.7.5, macOS Sequoia 15.7.4, and macOS Sonoma 14.8.4, each with patches for over three dozen vulnerabilities.
Safari 26.3 was released on Wednesday with fixes for eight security defects, including six affecting the WebKit browser engine.
Users are advised to update their devices as soon as possible. Additional information is available on Apple’s security updates page.
Related: 6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates
Related: Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firms
