~/home/news/apple-patches-critical-dyld-zero-2026-02-13
newsThursday, February 12, 20268 min read👁 9 views

Apple Patches Critical dyld Zero-Day (CVE-2026-20700) Exploited in the Wild

Apple released emergency updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS on Feb 12 2026 to fix CVE-2026-20700, a dyld memory-corruption flaw leveraged by sophisticated actors for remote code execution. Immediate patching is essential for all affected devices.

Apple SecurityZero-DaydyldCVE-2026-20700

Overview/Introduction

On February 12, 2026, Apple disclosed and shipped emergency patches for a critical zero-day vulnerability tracked as CVE-2026-20700. The flaw resides in dyld - Apple’s dynamic linker responsible for loading and linking executable code at runtime. Exploitation grants an attacker arbitrary code execution (ACE) on a broad range of Apple platforms, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. The vulnerability was confirmed to be actively used in targeted attacks against high-value individuals, prompting Apple to label the incident as a “sophisticated” exploitation campaign.

Technical Details

CVE Identifier: CVE-2026-20700
Component: dyld (Dynamic Link Editor)
Severity: Critical (no CVSS score released, but the impact is equivalent to a 9.8-level CVSS due to remote code execution without user interaction).
Root Cause: A memory-corruption bug in dyld’s handling of malformed Mach-O binaries. The issue stems from an unchecked pointer dereference when processing lazy symbol bindings, allowing a crafted binary to overwrite adjacent memory structures.

The exploitation chain typically follows these steps:

  1. Attacker delivers a malicious Mach-O payload (e.g., via a compromised app store package, a phishing-borne .ipa, or a malicious configuration profile).
  2. The payload triggers dyld during the app launch phase. The malformed binding table causes dyld to write outside the bounds of an internal buffer.
  3. By carefully shaping the out-of-bounds write, the attacker overwrites a function pointer or vtable entry used later in the launch sequence.
  4. When execution reaches the corrupted pointer, attacker-controlled shellcode runs with the privileges of the compromised process - often the user’s context, but on macOS it can be escalated to root via existing privilege-escalation primitives.

Google’s Threat Analysis Group (TAG) originally discovered the bug and reported it to Apple. However, evidence of exploitation surfaced in the wild before the patch was released, indicating that a nation-state or well-funded cybercrime group had weaponized the flaw.

Impact Analysis

The affected product matrix is extensive:

  • iOS 26.3 and iPadOS 26.3 - iPhone 11/12/13/14/15 series and later, iPad Pro (3rd-gen 12.9-inch and newer), iPad Air 3rd-gen+, iPad mini 5th-gen+, and all iPad models from the 8th generation onward.
  • macOS Tahoe 26.3 - All Macs running the Tahoe release line.
  • tvOS 26.3 - Apple TV HD and Apple TV 4K (all generations).
  • watchOS 26.3 - Apple Watch Series 6 and newer.
  • visionOS 26.3 - Apple Vision Pro (all models).

Because dyld is invoked for every executable, the attack surface includes any third-party app, system utility, or even malicious configuration profiles. The vulnerability’s “remote code execution” classification means that an attacker can achieve full compromise without requiring physical access or user interaction beyond opening a compromised app or profile.

Timeline of Events

  • Early 2025 - Google TAG discovers the dyld memory-corruption bug during internal security research.
  • Mid-2025 - TAG responsibly discloses the issue to Apple under the standard coordinated-vulnerability-disclosure (CVD) process.
  • Late 2025 - Threat intelligence feeds begin flagging anomalous activity targeting high-profile iOS users. Subsequent forensic analysis links the activity to a previously unknown dyld exploit chain.
  • January 2026 - Multiple security firms report active exploitation of CVE-2026-20700 in targeted spear-phishing campaigns.
  • February 12 2026 - Apple publishes security advisory, releases patches for all affected platforms, and urges immediate update deployment.

Mitigation/Recommendations

For organizations and individuals the following steps are mandatory:

  1. Apply the Apple updates immediately. The patches are available via Settings → General → Software Update on iOS/iPadOS, System Settings → Software Update on macOS, and the corresponding menus on tvOS/watchOS/visionOS.
  2. Enforce device management policies. Use MDM solutions to push the update automatically and verify compliance across the fleet.
  3. Restrict sideloading and untrusted app installations. Enable “Only allow apps from the App Store” wherever possible, and block installation of enterprise-signed apps that are not vetted.
  4. Monitor for anomalous dyld activity. Endpoint Detection and Response (EDR) tools should be tuned to flag unexpected Mach-O loads, especially from unsigned or newly signed binaries.
  5. Review configuration profiles. Reject any profile that attempts to install custom binaries without proper signing.
  6. Implement network-level defenses. Block known malicious C2 domains tied to the observed exploit campaigns, and employ sandboxing for browsers and email clients.

For legacy devices that cannot upgrade to the latest OS (e.g., iPhone XS, older iPads), Apple released back-ported patches in iOS 18.7.5 and iPadOS 18.7.5. Deploy those updates without delay.

Real-World Impact

Because the vulnerability is exploitable via a malicious app, the most likely attack vectors are:

  • Targeted phishing emails with links to malicious .ipa files hosted on compromised websites.
  • Compromised enterprise app distribution pipelines where a malicious insider inserts a tainted binary.
  • Malicious configuration profiles delivered through Mobile Device Management (MDM) abuse.

Successful exploitation grants the attacker full control of the victim device. On iOS and iPadOS this can lead to data exfiltration, persistent backdoors, and credential theft. On macOS, the foothold can be leveraged to move laterally within an organization, access sensitive files, or install ransomware. The presence of this zero-day in a core system component also raises the risk of secondary exploits that chain with other vulnerabilities (e.g., the previously disclosed CVE-2025-14174 in ANGLE’s Metal renderer or CVE-2025-43529 in WebKit).

Expert Opinion

From a strategic standpoint, CVE-2026-20700 marks a watershed moment for Apple’s security posture in 2026. The dynamic linker is a high-value target, and the fact that a nation-state-level actor successfully weaponized a previously unknown bug underscores two key industry trends:

  1. Supply-chain hardening is no longer optional. Apple’s ecosystem relies heavily on third-party binaries. The dyld exploit demonstrates that even a single unchecked pointer can compromise the entire device fleet. Future hardening efforts must include stricter code-signing verification, runtime integrity checks, and possibly a “hardened dyld” mode that validates binding tables before execution.
  2. Coordinated disclosure timelines are being compressed. The gap between discovery (early 2025) and public exploitation (early 2026) suggests that attackers can acquire zero-days faster than vendors can patch them, especially for core components. Apple’s rapid release of patches across all platforms this week is commendable, but the incident highlights the need for continuous, automated binary analysis in the App Store pipeline.

For security practitioners, the takeaway is clear: treat dyld-related alerts as high-severity, and prioritize patch deployment across all Apple devices, not just the latest flagship models. Organizations that rely on Apple hardware for mission-critical workloads should consider additional mitigations such as runtime application self-protection (RASP) and strict MDM quarantine policies for newly installed apps.

In the broader context, this exploitation campaign reinforces the reality that “zero-day” is no longer a rare, isolated event. As attackers become more adept at reverse-engineering Apple’s proprietary components, the industry must push for greater transparency, faster patch cycles, and more robust defensive tooling that can detect anomalous dynamic linking behavior before it leads to a breach.