Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware
Source: Hacker News
Apple patched a zero‑day vulnerability affecting every iOS version since 1.0, which the company says was used in an “extremely sophisticated attack” against targeted individuals.
Vulnerability Details (CVE‑2026‑20700)
- Component:
dyld– Apple’s dynamic linker. - Impact: Allows an attacker with memory‑write capability to execute arbitrary code.
- Status: Exploited in the wild; may have been part of a larger exploit chain.
- Apple advisory: support.apple.com/en-us/126346 – “An attacker with memory write capability may be able to execute arbitrary code… may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”
Related Vulnerabilities
- CVE‑2025‑14174 – Out‑of‑bounds memory access in Google Chrome’s ANGLE graphics engine on macOS, exploitable via a malicious webpage.
- CVE‑2025‑43529 – Use‑after‑free leading to code execution.
Both were referenced by Google’s Threat Analysis Group and carry CVSS scores of 8.8.
Expert Commentary
“Think of
dyldas the doorman for your phone. Every single app that wants to run must first pass through this doorman to be assembled and given permission to start.
Usually, the doorman checks credentials and places apps in a high‑security ‘sandbox’ where they can’t touch your private data. This vulnerability allows an attacker to trick the doorman into handing over a master key before security checks even begin.”
— Brian Milbier, Deputy CISO at Huntress
By chaining this flaw with WebKit vulnerabilities addressed in the iOS 26.3 update, attackers can achieve a “zero‑click” or “one‑click” path to total control: a fake ID bypasses the browser front gate, then the dyld flaw takes over the entire system.
“This level of sophistication resembles other exploits developed by the commercial surveillance industry… They sell these types of exploits or tools to government clients. While some updates in this patch address minor issues, such as data leakage from physical access, the
dyld/WebKit chain is in a different league. iOS 26.3 closes a door that has been unlocked for over a decade.” – Milbier
References
- Ireland wants to give its cops spyware, ability to crack encrypted messages
- Stalkerware slinger pleads guilty for selling snooper software to suspicious spouses
- Apple, Google forced to issue emergency 0‑day patches
- Two Android 0‑day bugs disclosed and fixed, plus 105 more to patch
- Pegasus investigation
- Predator spyware sanctions