Apple discloses first actively exploited zero-day of 2026
Apple disclosed a zero-day vulnerability Wednesday that the vendor warned was previously “exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a security update.
The memory-corruption vulnerability — CVE-2026-20700 — affects iPhones and iPads and was exploited on devices running versions of iOS before iOS 26. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Thursday.
The disclosure marks the first zero-day reported by Apple since late 2025, and the first Apple defect flagged as actively exploited by CISA this year.
“An attacker with memory write capability may be able to execute arbitrary code,” the company said.
Apple, which typically shares limited details about in-the-wild exploitation of zero-days, noted the latest zero-day, similar to others it disclosed last year, was exploited by sophisticated attackers targeting distinct people.
The company did not immediately respond to a request for comment and did not describe the nature or objectives of the attacks.
Caitlin Condon, vice president of security research at VulnCheck, said the zero-day was likely exploited as part of a highly targeted spyware or surveillance attack on a very small number of individuals’ devices.
The zero-day vulnerability, which was discovered by Google Threat Intelligence Group, affects dyld, Apple’s open-source dynamic link editor that acts as a core system component to securely load applications on users’ devices.
Apple said a pair of additional vulnerabilities affecting WebKit — CVE-2025-14174 and CVE-2025-43529 — were previously disclosed in response to attacks involving CVE-2026-20700.
The company did not describe how the three vulnerabilities are related, but previously noted CVE-2025-43529 was “exploited in an extremely sophisticated attack against specific targeted individuals.”
All three of the memory-corruption defects affect mobile operating systems, “where sophisticated zero-day attacks are commonly employed to surveil individuals, whether those are political dissidents, journalists, public figures or other high-value targets,” Condon said.
“Memory-corruption exploits are also commonly seen in sophisticated attacks, as they’re tricky to exploit reliably but provide elevated access,” she added.
Apple’s security updates for iOS 26.3 and iPadOS 26.3 addresses 38 vulnerabilities total, but CVE-2026-20700 is the only defect it disclosed as actively exploited prior to public disclosure.
