Apple has rolled out an urgent security update to fix a serious zero-day vulnerability in iOS — one that reportedly existed for more than a decade and may have already been used in highly targeted attacks. The fix is included in iOS 26.3 and related security updates across Apple’s device ecosystem, and users are being strongly advised to update their devices as soon as possible.
The vulnerability, tracked as CVE-2026-20700, was found in dyld, Apple’s dynamic linker. This is a core system component responsible for preparing and launching apps on Apple devices. Because dyld plays such a fundamental role in how apps run, any flaw inside it can have major security implications.
In this case, the bug could allow attackers who already have memory write access to execute malicious code on a device. In practical terms, that means attackers could potentially force a device to run spyware or other malicious software — sometimes without the user clicking anything.
Apple acknowledged that the flaw may have been used in “extremely sophisticated attacks” targeting specific individuals on iOS versions released before iOS 26. While the company did not name attackers or victims, this kind of language typically points to high-end surveillance operations rather than mass cybercrime.
Security researchers believe this vulnerability becomes even more dangerous when combined with previously patched WebKit bugs (CVE-2025-14174 and CVE-2025-43529). When chained together, these flaws could enable so-called “zero-click” attacks, where devices can be compromised silently — a technique commonly associated with commercial spyware tools.
Reports suggest the vulnerabilities may have been leveraged by commercial spyware vendors. These companies develop advanced hacking tools and sell them to government customers for targeted surveillance. Tools in this category — similar to those used in Pegasus or Predator-style campaigns — are extremely expensive and are usually deployed against journalists, activists, diplomats, or senior corporate and government officials.
Apple’s security update doesn’t just cover iOS. The patch has been released across the company’s major platforms, including iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS. Alongside the dyld fix, Apple also addressed dozens of additional vulnerabilities that could have enabled privilege escalation, information leaks, denial-of-service attacks, or sandbox escapes.
While Apple confirmed real-world exploitation, it did not provide technical details about how the vulnerability was used. This is common practice, as revealing too much detail too early could help attackers refine their methods or alert them to detection strategies.
Security experts continue to warn that zero-day vulnerabilities remain among the most dangerous threats in cybersecurity. Because they are unknown to vendors before exploitation begins, there is no protection available until a patch is released.
Given the scale of Apple’s global device ecosystem, rapid patch adoption is critical. Users who delay updates could remain exposed to remote attacks that compromise device security and personal data.
For now, the advice is simple: update immediately.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
