Apple Patches Decade-Old IOS Zero-Day, Possibly Exploited By Commercial Spyware
Source: Slashdot
Overview
Apple recently released patches for iOS and macOS that address “an extremely sophisticated attack against specific targeted individuals.” The vulnerability was described by Apple as a memory‑corruption issue that could be exploited for arbitrary code execution.
Technical Details
- The flaw is tracked as CVE‑2026‑20700.
- Potential impacts include:
- Information exposure
- Denial‑of‑service (DoS)
- Arbitrary file write
- Privilege escalation
- Network traffic interception
- Sandbox escape
- Code execution
Apple noted that exploitation of CVE‑2026‑20700 appears to be linked to two other zero‑days, CVE‑2025‑14174 and CVE‑2025‑43529, which were patched in WebKit in December 2025. All three bugs were identified jointly by Apple’s security team and Google’s Threat Analysis Group, and their characteristics suggest possible use by commercial spyware vendors.
Industry Reaction
Brian Milbier, deputy CISO at Huntress, told The Register that the dyld/WebKit patch “closes a door that has been unlocked for over a decade.” His comments highlight the long‑standing nature of the vulnerability and the significance of the recent fix.
References
- Apple’s security advisory: support.apple.com/en-us/126346
- Security Week report: “Apple patches iOS zero‑day exploited in extremely sophisticated attack” – securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/
- WebKit zero‑day background: securityweek.com/apple-patches-two-zero-days-tied-to-mysterious-exploited-chrome-flaw/
- The Register interview: theregister.com/2026/02/12/apple_ios_263/
Thanks to Slashdot reader wiredmikey for sharing the article.