Last updated: Feb 2026 · Related terms: Apple security update, zero-day, dyld, CVE-2026-20700, iOS 26.3, macOS Tahoe 26.3
Quick summary
- CVE-2026-20700 is a memory corruption bug in dyld, a core component involved when apps launch.
- Apple says it may have been used in an “extremely sophisticated” targeted attack against specific individuals on iOS versions before iOS 26.
- Apple’s advisories warn that an attacker with memory write capability may be able to execute arbitrary code.
- Patches are shipped in iOS/iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3.
Quick navigation
- What is dyld?
- What exactly is CVE-2026-20700?
- Why this one is urgent
- Optional technical notes (how dyld loads an app)
- Who’s affected + official Apple links
- How to patch (fast checklist)
- Notes for IT / SecOps
- Hard facts for tickets / reports
- References (official first)
What is dyld?
When you tap an app icon, the app doesn’t run as a completely self-contained bundle. It depends on shared Apple frameworks and libraries. dyld is part of the system that connects an app to those shared pieces so it can start and run properly.
That’s why dyld vulnerabilities attract attention: it’s not “one app” or “one feature.” It’s part of the machinery used across the platform.
What exactly is CVE-2026-20700?
Apple describes CVE-2026-20700 as a memory corruption issue in dyld, fixed with improved state management. The advisories credit Google’s Threat Analysis Group for reporting it.
What Apple is telling you (without the legal wording)
If an attacker already has a way to write to memory, this bug may let them go further and run code they choose. Apple also says it is aware of a report that this issue may have been exploited in an “extremely sophisticated” attack against specific targeted individuals.
The phrase “memory write capability” matters. In real incidents, attackers often chain multiple steps: one weakness provides a foothold or a primitive (like a controlled memory write), and another weakness turns that into code execution. Apple does not publish exploit details here, which is common when a bug is linked to high-end targeting.
Why this one is urgent (even if you’re “not a target”)
- Targeted attacks still scale. Once a technique exists, it can spread beyond the first victims.
- Shared components amplify risk. dyld sits on the app start path, so it’s valuable in exploit chains.
- Patch windows shrink fast. Once defenders see confirmed exploitation signals, the “later” option disappears quickly.
Practical takeaway: if your device offers one of the fixed versions below, install it. For organizations, patch high-risk users first.
Optional technical notes (for readers who want the “how”)
This section is optional. You can skip it and still patch correctly. If you’re curious, here’s where dyld fits in the boot-up path of an app.
What dyld does during app launch (high level)
- Reads the executable format: Apple apps are packaged as Mach-O binaries. The file includes “load commands” that describe which libraries it needs.
- Maps code and libraries into memory: dyld maps the main binary and the required shared libraries.
- Resolves symbols: when the app references a function in a library, dyld binds those references to the correct addresses.
- Applies fixups: modern systems use precomputed / optimized fixup data to make startup faster; dyld applies what’s needed at runtime.
- Runs initializers: some libraries have startup routines that must run before your app’s main code begins.
Why memory corruption in a loader is a big deal
“Memory corruption” is a broad category: out-of-bounds writes, use-after-free, and other bugs that can alter program memory in unintended ways. In the worst case, memory corruption can be steered to overwrite pointers or control data — which can lead to executing attacker-controlled code.
Apple’s wording (“attacker with memory write capability”) strongly hints that CVE-2026-20700 is most valuable as part of a chain: once a reliable write primitive exists, a second bug can become the bridge to code execution.
Tiny macOS lab: see what an app links against (safe)
On a Mac, you can inspect which shared libraries an app depends on. This isn’t “exploitation”; it’s a normal developer/admin check.
# Show the macOS version sw_vers # Pick a binary and list its linked libraries # (Example: /bin/ls is simple and always present) otool -L /bin/ls
Note: DYLD_* environment variables exist for debugging loader behavior, but macOS security features (like SIP/protected processes) can cause those variables to be ignored for many system binaries. That’s normal and by design.
Who’s affected + the fixed versions (with official Apple links)
Apple lists CVE-2026-20700 under the dyld section of its security advisories for multiple platforms. These are the official pages you can cite internally.
| Platform | Update that fixes CVE-2026-20700 | Official Apple advisory |
|---|---|---|
| iPhone / iPad | iOS 26.3 / iPadOS 26.3 | Security content of iOS 26.3 and iPadOS 26.3 |
| Mac | macOS Tahoe 26.3 | Security content of macOS Tahoe 26.3 |
| Apple TV | tvOS 26.3 | Security content of tvOS 26.3 |
| Apple Watch | watchOS 26.3 | Security content of watchOS 26.3 |
| Apple Vision Pro | visionOS 26.3 | Security content of visionOS 26.3 |
Apple’s security bulletin index (useful for cross-checking release dates and documents): Apple security releases.
How to patch (fast checklist)
For personal devices
- iPhone / iPad: Settings → General → Software Update → install iOS/iPadOS 26.3
- Mac: System Settings → General → Software Update → install macOS Tahoe 26.3
- Apple Watch: Watch app → General → Software Update → install watchOS 26.3
- Apple TV: Settings → System → Software Updates → install tvOS 26.3
- Vision Pro: Settings → General → Software Update → install visionOS 26.3
Quick verification tip
After updating, confirm the OS version number. On iPhone/iPad: Settings → General → About. On Mac: Apple menu → About This Mac. Aim for 26.3 (or later) on the relevant platform.
Notes for IT / SecOps (real-world operations)
Apple did not publish public exploit indicators here, so the most reliable control is still: patch, then verify versions across your fleet.
- Inventory: use MDM reporting to locate devices below 26.3 on affected platforms.
- Prioritize: patch high-risk roles first (execs, security staff, people handling sensitive data).
- Enforce: apply minimum OS compliance rules where possible.
Hard facts for tickets / reports
- Release date: Apple lists these updates as released on February 11, 2026 (see the platform advisories).
- CVSS (as displayed on NVD): 7.8 (High) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
- Weakness class (NVD): CWE-119 (memory safety / bounds issue category).
- Cross-platform: NVD lists the issue as fixed in iOS/iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, visionOS 26.3.
References (official first)
- Apple security releases (official index)
- iOS 26.3 and iPadOS 26.3 security content (Apple)
- macOS Tahoe 26.3 security content (Apple)
- tvOS 26.3 security content (Apple)
- watchOS 26.3 security content (Apple)
- visionOS 26.3 security content (Apple)
- NVD: CVE-2026-20700 (NIST)
- CVE Record: CVE-2026-20700 (cve.org)