Full Report
The vendor said the memory-corruption defect was exploited to target specific people, but it did not describe the objectives of the attack. The post Apple discloses first actively exploited zero-day of 2026 appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Apple dyld Memory Corruption Zero-Day
## CVE Details
- **CVE ID:** CVE-2026-20700
- **CVSS Score:** N/A (Note: Severity is considered Critical due to active exploitation and arbitrary code execution capabilities).
- **CWE:** Memory Corruption (specifically affecting dyld)
## Affected Systems
- **Products:** Apple iPhone and iPad
- **Versions:** All versions prior to iOS 26 and iPadOS 26.
- **Configurations:** Devices utilizing dyld (dynamic link editor) for application loading.
## Vulnerability Description
The flaw is a memory corruption defect residing in **dyld**, Apple’s open-source dynamic link editor. dyld is a core system component responsible for securely loading applications and libraries. According to Apple, a successful exploit provides an attacker with "memory write capability," which can be leveraged to achieve arbitrary code execution (ACE). This vulnerability is reportedly linked to or chained with two WebKit vulnerabilities: CVE-2025-14174 and CVE-2025-43529.
## Exploitation
- **Status:** Exploited in the wild (Actively exploited zero-day).
- **Complexity:** High (Described as "extremely sophisticated" and "highly targeted").
- **Attack Vector:** Likely Remote (Often delivered via malicious web content or zero-click vectors, though frequently chained with browser-based exploits).
## Impact
- **Confidentiality:** High (Potential for complete device surveillance and data extraction).
- **Integrity:** High (Ability to execute arbitrary code and modify system behavior).
- **Availability:** High (Potential for system instability or permanent compromise).
## Remediation
### Patches
- **iOS 26.3 and iPadOS 26.3:** Users should update immediately to these versions or later to remediate the flaw.
### Workarounds
- There are no official functional workarounds. Immediate patching is the only recommended mitigation.
- High-risk individuals should consider enabling **Lockdown Mode** to reduce the device's attack surface.
## Detection
- **Indicators of Compromise:** No specific file hashes or C2 domains were provided in the disclosure; however, the vulnerability is associated with sophisticated spyware-style attacks.
- **Detection Methods and Tools:**
- Monitor for unexpected system reboots or crashes.
- Check for "Unexpected Security Updates" or alerts from Apple regarding targeted attacks.
- CISA has added this vulnerability to the **Known Exploited Vulnerabilities (KEV) Catalog**.
## References
- Apple Security Update: [https://support.apple.com/en-us/126346](https://support.apple.com/en-us/126346)
- CISA KEV Catalog: [https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- NVD Details: [https://nvd.nist.gov/vuln/detail/CVE-2026-20700](https://nvd.nist.gov/vuln/detail/CVE-2026-20700)