Apple Security Alert fixes a zero day vulnerability in dyll and requires updating now

Apple has published this week a series of updates for iPhone, iPad, Mac, Apple TV, Apple Watch and Vision Pro designed to correct a zero-day vulnerability that, according to the company, has already been used in highly sophisticated targeted attacks. The failure figures as CVE-2026-20700 and is related to a memory corruption problem in dyll, the component that is responsible for dynamically linking libraries and loading executable in Apple operating systems. You can check Apple's official note about these corrections on your support page: Apple Security Updates.

In simple terms, dyll is a critical element of the system: when a process needs to use an external library or function, dyll ensures that that piece of code is located and run in the right memory. A vulnerability of memory corruption at that point can allow, if the attacker already has any way of writing in memory, the execution of arbitrary code with privileges of the process concerned. For this reason Apple warns that the possible exploitation of this failure could lead to the remote execution of code on vulnerable devices. The official record of the failure in the national vulnerability database is available in the NVD: CVE-2026-20700.

The discovery and reporting of the problem is attributed to Google's Threat Analysis Group, known as Google TAG, the team that tracks sophisticated operations against defenders and activists and that often works with manufacturers to mitigate real threats. Google TAG maintains information and communications about its research on its portal: Google Threat Analysis Group. Apple has also pointed out that vulnerability may have been exploited against specific individuals in versions prior to iOS 26, so the recommendation to update is not a theoretical but urgent thing for those who could be targeted for targeted attacks.

This update does not come in isolation: in December 2025 Apple already corrected two other vulnerabilities that had also been exploited in the field. The first, CVE-2025-14174, affected the ANGLE component related to metal implementation for graphics and allowed access outside the memory limits. The second, CVE-2025-43529, was a uso-after-free on WebKit that could trigger code execution when processing malicious web content. It is important to remember that these parts fit into a pattern: attackers combine faults in different subsystems (graphics, browser, dynamic link) to achieve complete device commitments.

Apple has distributed the corrections to various branches and versions of the software. For the most recent and current-supported devices, the main updates are iOS and iPadOS 26.3 - directed to iPhone 11 and to modern iPad generations - and MacOS Tahoe 26.3 for Mams that run that version. Patches for tvOS 26.3 (Apple TV HD and Apple TV 4K), watchOS 26.3 (Apple Watch Series 6 and later) and views 26.3 (Apple Vision Pro) have also been published. In addition, Apple has released patches for old branches: iOS and iPadOS 18.7.5 for older models such as iPhone XS / XS Max / XR and iPad 7th generation, Sequoia macos 15.7.4 and Sonoma macos 14.8.4, as well as an update of Safari 26.3 for Sonoma and Sequoia macos. On Apple support pages you can review each specific update: iOS 26.3 and iPadOS 26.3, MacOS Tahoe 26.3, TvOS 26.3, watchOS 26.3 and visions 26.3. For the old versions are also the notes: iOS / iPadOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4 and Safari 26.3.

What should users do? The clear answer is update as soon as possible. Although many vulnerabilities require specific conditions to be exploited, a dynamic link failure is a major prize for an attacker with initial access to the system; therefore, applying updates drastically reduces the risk of a greater commitment. In corporate environments and for users with high-risk profiles (journalists, activists, lawyers, etc.) it is advisable to prioritize these updates and, if possible, to verify equipment integrity and unusual activity that could indicate a prior intrusion.

Apple indicates that it follows the practice of not providing complete technical details when there is evidence of active exploitation, so as not to give clues to the attackers before the mitigation is widely deployed. Even so, the company and external researchers have shown a recent history of patches for vulnerabilities exploited in the real world: in 2025, for example, Apple published corrections for nine failures that had been used in attacks. This reality underlines the importance of combining updates with good practice: strong passwords, two-factor authentication, care with applications and links, and regular reviews of installed permissions and processes.

If you want to deepen the technical details and the threat tracking, the entry of the NIST vulnerability catalogue and Apple notes are the most reliable starting points. To keep up with the activity of advanced actors and operating alerts, reports from groups such as Google TAG and vendor security bulletins are useful resources. In any case, the practical lesson is simple: when the manufacturer publishes a critical patch, do not leave it by tomorrow.