Apple dyld Memory Corruption (Targeted iOS Zero-Day)

Overview

CVE-2026-20700 is a memory-corruption vulnerability in dyld, Apple's dynamic linker (dynamic link editor) that loads and links executables and shared libraries when an app launches and is a core, highly privileged system component across Apple's operating systems. Apple addressed the issue with improved state management and warned that it may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. Successful exploitation can lead to arbitrary code execution.

The vulnerability was reported by Google's Threat Analysis Group and is part of the same intrusion that produced the December 2025 WebKit fixes (CVE-2025-14174 and CVE-2025-43529), indicating it served as a privilege-escalation or code-execution stage in a multi-bug exploit chain. It is the first Apple defect that CISA flagged as actively exploited in 2026. Apple fixed it in the 26.3 generation of its operating systems, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on February 12, 2026 with a remediation deadline of March 5, 2026.

Technical Details

dyld is responsible for resolving and binding dependencies, mapping Mach-O images into memory, and applying fix-ups at process startup, all before an app's own code runs. A memory-corruption flaw in this component is especially valuable to attackers because dyld runs in the security context of the process being launched and is involved in the earliest, most trusted phase of execution. Apple describes the root cause as a state-management problem, meaning the linker reached an inconsistent internal state under specific conditions, leading to corruption that an attacker can shape toward code execution.

The CVSS data published via NVD (CISA-ADP) assigns a base score of 7.8 (High) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The Local attack vector and Low privileges required are consistent with dyld's role: rather than being a remote entry point, the bug is the link in the chain that converts an initial foothold (such as a WebKit content-process compromise) into higher-privileged code execution on the device, with no further user interaction needed. Impact is high across confidentiality, integrity, and availability. The fix ships in iOS and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3.

Impact

• Arbitrary code execution via memory corruption in the dyld dynamic linker, a privileged core system component.
• Serves as an escalation/code-execution stage in a sophisticated multi-bug exploit chain alongside the related WebKit zero-days.
• Reportedly exploited in an extremely sophisticated, targeted attack against specific individuals, consistent with mercenary-spyware operations.
• Affects the full Apple device ecosystem: iPhone, iPad, Mac, Apple TV, Apple Watch, and Apple Vision Pro.

Mitigation

1. Update iPhone and iPad to iOS/iPadOS 26.3 or later.
2. Update Mac to macOS Tahoe 26.3 or later.
3. Update Apple TV to tvOS 26.3, Apple Watch to watchOS 26.3, and Apple Vision Pro to visionOS 26.3.
4. Reboot each device after updating so the patched dyld is in effect for all subsequently launched processes.
5. Enable Lockdown Mode on high-risk devices to reduce the attack surface available to the chains that reach this bug; Federal Civilian Executive Branch agencies were required to remediate by March 5, 2026 under CISA BOD 22-01.

Detection

As with other Apple platform zero-days, defenders have limited low-level visibility, so detection centers on version and configuration assurance via mobile device management. Inventory the OS build across all managed Apple devices and flag any iPhone or iPad below iOS/iPadOS 26.3, any Mac below macOS Tahoe 26.3, and any Apple TV, Watch, or Vision Pro below the 26.3 builds as exposed. Enforce the minimum build through MDM compliance rules and restrict non-compliant devices from sensitive resources until they update.

Because this dyld bug was used as a stage within a targeted chain rather than as the initial remote vector, the most reliable indicator is Apple's threat notification: any user who receives Apple's mercenary-spyware alert should be treated as a confirmed high-severity incident. Ingest indicators of compromise published by Google's Threat Analysis Group or downstream researchers for the associated campaign and alert on the related infrastructure in DNS and proxy logs. On macOS, EDR can monitor for processes exhibiting anomalous launch behavior, unexpected dynamic-library loads, or DYLD_* environment-variable abuse, and for early-execution anomalies that deviate from a known-good baseline of launched binaries.

For suspected iOS compromise, capture a sysdiagnose and analyze it with forensic tooling such as the Mobile Verification Toolkit, which can surface spyware artifacts and crash logs consistent with exploitation; note that this typically requires physical access and user cooperation. Centralize and review crash reports where available, since exploitation of a dynamic-linker bug can leave distinctive early-launch crash signatures on devices where an attempt failed. Finally, confirm via MDM that Lockdown Mode is enabled and remains active for your highest-risk population, as it is among the few proactive defenses effective against this category of targeted, chained zero-day.