Apple has released security updates to fix a zero-day vulnerability that was exploited in an "extremely sophisticated attack" targeting specific individuals.
Tracked as CVE-2026-20700, the flaw is an arbitrary code execution vulnerability in dyld, the Dynamic Link Editor used by Apple operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS.
Apple's security bulletin warns that an attacker with memory write capability may be able to execute arbitrary code on affected devices.
Apple says it is aware of reports that the flaw, along with the CVE-2025-14174 and CVE-2025-43529 flaws fixed in December, were exploited in the same incidents.
"An attacker with memory write capability may be able to execute arbitrary code," reads Apple's security bulletin.
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report."
Apple says Google's Threat Analysis Group discovered CVE-2026-20700. The company did not provide any further details about how the vulnerability was exploited.
Affected devices include:
iPhone 11 and later
iPad Pro 12.9-inch (3rd generation and later)
... continue reading