Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware

Steven

Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware

Summary

Apple has fixed CVE-2026-20700, a zero-day in dyld (the dynamic linker) that has existed since iOS 1.0 and was reported exploited in the wild. Discovered by Google’s Threat Analysis Group, the flaw lets an attacker with memory-write capability execute arbitrary code and may have been used as part of an exploit chain alongside WebKit vulnerabilities to create a zero-click or one-click path to full device compromise.

The iOS and iPadOS 26.3 updates bundle this fix with other patches — including for issues that could grant root access or leak sensitive data — but Apple says CVE-2026-20700 is the only one confirmed as exploited. Security researchers liken the dyld flaw to handing an attacker a ‘master key’ past the system’s security checks, and note the sophistication resembles tools sold by commercial surveillance firms such as those behind Pegasus and Predator.

Key Points

  • CVE-2026-20700 affects dyld, Apple’s dynamic linker, and impacts every iOS version since 1.0.
  • The flaw allows arbitrary code execution when an attacker can perform memory writes.
  • Google’s Threat Analysis Group discovered the vulnerability and reported evidence it was exploited in the wild against targeted individuals.
  • Chaining this dyld bug with WebKit flaws (also fixed in iOS 26.3) can create zero-click or one-click full-device takeover paths.
  • Security experts say the exploit’s sophistication is consistent with commercial spyware toolkits sold to government clients.
  • Apple’s iOS/iPadOS 26.3 includes other fixes (root access, data leaks), but CVE-2026-20700 is the primary confirmed in-the-wild exploit — update promptly.

Context and Relevance

This patch matters because dyld is central to loading every app on iOS — a compromise there can bypass sandboxing and elevate an attacker’s reach across the device. The discovery by Google TAG and the linkage to WebKit exploits underline a wider trend: sophisticated, often private-sector-developed surveillance toolchains are increasingly able to produce zero-click compromises that target specific individuals.

For security teams and privacy-conscious users, the update is a reminder that even very old bugs can be weaponised and that timely patching is essential. It also highlights industry dynamics where vulnerabilities can circulate for years before mitigations appear — sometimes only after evidence of real-world abuse emerges.

Why should I read this?

Short version: if you use an iPhone or iPad, this patch matters — big time. Attackers could take over a device without you tapping a thing. Read the article to know what was fixed, why it’s nasty, and why you should hit update now. Seriously, update your device.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/12/apple_ios_263/