Apple on Wednesday released updates to iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS to address a zero-day flaw that the company says was exploited in a sophisticated cyber attack.
The vulnerability is tracked as CVE-2026-20700 (CVSS score: N/A) and is described as a memory corruption issue in dyld, Apple’s dynamic link editor. Successful exploitation of this vulnerability could allow an attacker with memory writing capabilities to execute arbitrary code on a susceptible device. Google Threat Analysis Group (TAG) is credited with discovering and reporting this bug.
“Apple is aware of reports that this issue may have been exploited in highly sophisticated attacks against specific targeted individuals on versions of iOS prior to iOS 26,” the company said in an advisory. “CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.”
It is worth noting that CVE-2025-14174 and CVE-2025-43529 were both addressed by Cupertino in December 2025, and the former was first revealed by Google to be exploited in the wild. CVE-2025-14174 (CVSS score: 8.8) is related to an out-of-bounds memory access in ANGLE’s Metal renderer component. Metal is a high-performance, hardware-accelerated graphics and computing API developed by Apple.
Meanwhile, CVE-2025-43529 (CVSS score: 8.8) is a use-after-free vulnerability in WebKit that could potentially lead to arbitrary code execution when processing maliciously crafted web content.
Updates are available for the following devices and operating systems:
iOS 26.3 and iPadOS 26.3 – iPhone 11 or later, iPad Pro 12.9 inch 3rd generation or later, iPad Pro 11 inch 1st generation or later, iPad Air 3rd generation or later, iPad 8th generation or later, and iPad mini 5th generation or later macOS Tahoe 26.3 – macOS Tahoe tvOS 26.3 – Apple TV HD and Apple TV 4K (all models) watchOS 26.3 – Apple Watch Series 6 or later visionOS 26.3 – Apple Vision Pro (all models)
Additionally, Apple has also released updates that resolve various vulnerabilities in older versions of iOS, iPadO, macOS, and Safari.
With the latest development, Apple moves towards addressing a zero-day vulnerability that was first actively exploited in 2026. Last year, the company patched nine zero-day vulnerabilities that were exploited in the wild.
Source link
