Apple has published a series of security patches to correct a zero-day vulnerability that, according to the company, was used in an "extremely sophisticated attack" directed against specific individuals. The problem, identified as CVE-2026-20700, affects the component known as dyll - the Dynamic Link Editor using iOS, iPhadOS, macOS, tvOS, watchOS and visionOS - and would allow the execution of arbitrary code if an attacker achieves the ability to write in the memory of the device.
In its newsletter, Apple warns that vulnerability could be exploited by an opponent with access to memory writing to run unauthorized code on the affected devices. The company also indicates that this finding is related to two errors corrected last December, those recorded as CVE-2025-14174 and CVE-2025-43529 and that all of them appear to be linked to the same series of targeted incidents. The official note is available on the Apple support website: Apple Support - Security Update.
Google, through its Threat Analysis Group, was the one who detected the CVE-2026-20700 failure, according to Apple, although the company has not provided technical details about the exact operating mechanism or the initial vector of the attack. The participation of teams such as the Google Threat Analysis Group It usually indicates that the activity was highly directed and well orchestrated, focused on high-risk objectives.
Understanding why dyll is relevant helps to value gravity. Dyld is the dynamic charger that links libraries and executable on Apple platforms; any failure in this component can open the door to which malicious code is injected and run at a very low level of the system. Apple has documentation for developers about dyll that explains its function and why it is so critical: Dyld documentation. For the security community, the vulnerabilities that allow arbitrary code execution are among the most worrying, because they can be used to install spyware, steal data or take remote control of the device.
Apple has solved the problem in iOS 18.7.5, iPadOS 18.7.5, mac Tahoe 26.3, tvOS 26.3, watchOS 26.3 and visionOS 26.3. Among the devices cited as affected are modern iPhone and iPad models - such as the iPhone 11 forward and several recent generations of iPad Pro, iPad Air and iPad mini - as well as Mats that run Tahoe macos. If you use any of these equipment, it is important to update as soon as possible.
Although Apple indicates that the operation was selective - targeted at specific individuals in previous versions of iOS 26 - the recommendation for users is simple and direct: install available updates as soon as possible. Updating the operating system immediately reduces the exposure window to this type of defect. If you need step-by-step instructions, Apple maintains a public guide on how to update your devices here: How to update iPhone, iPad or iPod touch.
This patch represents the first one-day zero arrangement Apple has made public in 2025; by 2025 the company had already corrected several critical vulnerabilities, accumulating seven zero-day patches throughout the year. This pattern highlights two complementary facts: on the one hand, that sophisticated attackers continue to develop and exploit complex failures; on the other, that a collaboration between researchers and large platforms (such as the one reported between Google and Apple) can detect and mitigate threats before they spread massively.
For private users and system administrators there are some good practices that go beyond applying the patch. Maintaining up-to-date and encrypted backup, reviewing application permissions and minimizing the installation of dubious software help reduce the attack surface. In business environments, detection and response controls, network segmentation and mobile device management policies expand protection against targeted attacks.
Apple has not yet revealed any more information on how the exploitation was carried out or on who the targets were, which is common when investigations remain open or when public revelations could help attackers refine their techniques. For those who want to deepen in the context of vulnerabilities and outreach programmes, the CVE initiative and its general explanation can serve as a starting point: What is CVE?.
In short, although the threat described by Apple was directed and does not indicate a massive campaign, the combination of a dynamic charger failure and the possibility of arbitrary code execution requires not to relax. The most effective and accessible measure for any user is to install the updates of iOS, iPadOS, macOS and other systems Apple has published and maintain digital safety habits that limit the impact of future attacks.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...