Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware

Apple patched a zero-day vulnerability affecting every iOS version since 1.0, used in what the company calls an "extremely sophisticated attack" against targeted individuals.

CVE-2026-20700, discovered by Google's Threat Analysis Group, affects dyld - Apple's dynamic linker - and allows attackers with memory write capability to execute arbitrary code. Apple said the flaw was exploited in the wild and may have been part of an exploit chain.

Its advisory stated: "An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."

Google's researchers also referenced two December vulnerabilities in their report that both carry 8.8 CVSS scores.

CVE-2025-14174 is an out-of-bounds memory access flaw in Google Chrome's ANGLE graphics engine on Mac that could be exploited through a malicious webpage.

The other, CVE-2025-43529, is a use-after-free leading to code execution.

Brian Milbier, deputy CISO at Huntress, said: "Think of dyld as the doorman for your phone. Every single app that wants to run must first pass through this doorman to be assembled and given permission to start.

"Usually, the doorman checks credentials and places apps in a high-security 'sandbox' where they can't touch your private data. This vulnerability allows an attacker to trick the doorman into handing over a master key before security checks even begin."

• Ireland wants to give its cops spyware, ability to crack encrypted messages
• Stalkerware slinger pleads guilty for selling snooper software to suspicious spouses
• Apple, Google forced to issue emergency 0-day patches
• Two Android 0-day bugs disclosed and fixed, plus 105 more to patch

By chaining this with WebKit flaws Apple also addressed in the iOS 26.3 update, "attackers have created a 'zero-click' or 'one-click' path to total control. They use a fake ID to bypass the front gate – your browser – and then exploit the doorman's flaw to take over the entire building," Milbier added.

"This level of sophistication resembles other exploits developed by the commercial surveillance industry. These are private companies that also developed prominent spyware tools like Pegasus and Predator. They sell these types of exploits or tools to government clients. While some updates in this patch address minor issues, such as data leakage from physical access, the dyld/WebKit chain is in a different league. iOS 26.3 closes a door that has been unlocked for over a decade."

Apple's updates for iOS and iPadOS also feature a host of other fixes for various bugs, including flaws that grant root access and disclose sensitive user information, but CVE-2026-20700 is the only one it said was exploited in the wild. ®