Apple Patches Critical Zero-Day in iOS 26.3 Exploited in Targeted Spyware Attacks
On February 11, 2026, Apple released iOS 26.3 and iPadOS 26.3, addressing over 40 vulnerabilities, including a critical zero-day flaw (CVE-2026-20700) in the dyld component actively exploited in targeted attacks. Discovered by Google’s Threat Analysis Group, the memory-corruption vulnerability allows arbitrary code execution for attackers with memory-write access.
The flaw affects Apple’s Dynamic Link Editor (dyld), which manages dynamic library loading across iOS, macOS, and other platforms. Due to improper state management, attackers could corrupt memory during library loading, hijacking control flow to execute malicious code. Apple confirmed the exploit was used in "extremely sophisticated attacks" against high-profile individuals, such as journalists and activists, aligning with nation-state spyware campaigns like Pegasus.
The attack chain likely begins with initial access via phishing or zero-click exploits, followed by privilege escalation through dyld. While no public proof-of-concept exists, Apple’s rapid patching highlights the threat’s severity. The fix, described as "improved state management," enhances validation in dyld’s memory allocation and linking processes.
Affected devices include iPhone 11 and later, recent iPad Pro, Air, and mini models. The update also patches 37+ additional vulnerabilities, including:
- Kernel flaws (CVE-2026-20617/20615) enabling root escalation.
- WebKit bugs leading to denial-of-service or crashes.
- Lock screen bypasses in Accessibility and Photos (CVE-2026-20642).
- Sandbox escape vulnerabilities for app breakouts.
This marks Apple’s first zero-day patch of 2026, following seven in 2025, signaling persistent advanced threats. While the attacks remain highly targeted, public disclosure raises risks of broader exploitation. Apple’s update reinforces defenses, but enterprises are advised to enforce MDM policies and monitor for anomalies.
Source: https://cybersecuritynews.com/apple-0-day-vulnerability-exploited/
Apple TPRM report: https://www.rankiteo.com/company/apple
"id": "app1770865044",
"linkid": "apple",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'High-profile individuals '
'(journalists, activists)',
'industry': 'Consumer Electronics, Software',
'location': 'Global',
'name': 'Apple',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': ['Phishing', 'Zero-Click Exploits'],
'customer_advisories': 'Users advised to update to iOS 26.3/iPadOS 26.3 '
'immediately.',
'data_breach': {'personally_identifiable_information': 'Likely (high-profile '
'targets)',
'sensitivity_of_data': "High (targeted individuals' data)",
'type_of_data_compromised': 'Potential arbitrary code '
'execution and access to '
'sensitive data'},
'date_detected': '2026-02-11',
'date_publicly_disclosed': '2026-02-11',
'date_resolved': '2026-02-11',
'description': 'Apple released iOS 26.3 and iPadOS 26.3 on February 11, 2026, '
'addressing over 40 vulnerabilities, including a critical '
'zero-day flaw (CVE-2026-20700) in the dyld component actively '
'exploited in targeted attacks. The memory-corruption '
'vulnerability allows arbitrary code execution for attackers '
'with memory-write access, used in sophisticated spyware '
'campaigns against high-profile individuals like journalists '
'and activists.',
'impact': {'brand_reputation_impact': 'Moderate (public disclosure of '
'targeted attacks)',
'data_compromised': 'Potential arbitrary code execution and data '
'access',
'identity_theft_risk': 'High (targeted high-profile individuals)',
'operational_impact': 'Potential unauthorized access and control '
'over affected devices',
'systems_affected': 'iOS and iPadOS devices (iPhone 11 and later, '
'recent iPad Pro, Air, and mini models)'},
'initial_access_broker': {'entry_point': ['Phishing', 'Zero-Click Exploits'],
'high_value_targets': 'Journalists, activists'},
'investigation_status': 'Resolved (patch released)',
'lessons_learned': 'Persistent advanced threats require rapid patching and '
'enhanced monitoring for high-risk individuals.',
'motivation': 'Espionage, Surveillance',
'post_incident_analysis': {'corrective_actions': 'Enhanced validation in '
'dyld’s memory allocation '
'and linking processes',
'root_causes': 'Improper state management in dyld '
'component leading to memory '
'corruption'},
'recommendations': ['Enforce MDM policies',
'Monitor for anomalies',
'Apply patches immediately'],
'references': [{'date_accessed': '2026-02-11',
'source': 'Apple Security Advisory'},
{'date_accessed': '2026-02-11',
'source': 'Google’s Threat Analysis Group'}],
'response': {'communication_strategy': 'Public disclosure and advisory',
'containment_measures': 'Patch released (iOS 26.3 and iPadOS '
'26.3)',
'enhanced_monitoring': 'Recommended for enterprises via MDM '
'policies',
'remediation_measures': 'Improved state management in dyld '
'component',
'third_party_assistance': 'Google’s Threat Analysis Group'},
'stakeholder_advisories': 'Enterprises advised to enforce MDM policies and '
'monitor for anomalies.',
'threat_actor': 'Nation-state actors (likely associated with Pegasus spyware)',
'title': 'Apple Patches Critical Zero-Day in iOS 26.3 Exploited in Targeted '
'Spyware Attacks',
'type': 'Zero-Day Exploit',
'vulnerability_exploited': 'CVE-2026-20700 (Memory-corruption in dyld '
'component)'}