iPhone being updated showing zero-day vulnerability

Apple Patches Ancient Zero-Day Vulnerability Present in iOS for Nearly Two Decades

A zero-day vulnerability that has been with iOS since the first iPhone launched has been identified and patched out by Apple, but with the warning that there is evidence it has been exploited in attack chains for quite some time.

CVE-2026-20700 was discovered by Google’s Threat Analysis Group and impacts all versions of iOS prior to 26 (released in mid-September 2025). The zero-day vulnerability required a very sophisticated attack chain and is known to have been paired with the WebKit vulnerabilities that Apple patched out in iOS 26.3, though it appears possible it was also exploited in other ways in the past. The vulnerability was most likely leveraged by advanced spyware providers as parts of kits such as Pegasus.

Zero-Day vulnerability has been present since iOS 1.0

The zero-day vulnerability seems to have been present in iOS since Steve Jobs first introduced the iPhone nearly 20 years ago. It is a part of Apple’s dynamic linker “dyld”, a fundamental piece of the OS that loads and links all of the dynamic libraries and frameworks that individual apps need to run. Once attackers gain access to memory write capability via other means, they are able to leverage this vulnerability to execute arbitrary code.

Though the zero-day vulnerability was present for a very long time, Apple’s advisory suggests that only “specific targeted individuals” were breached by it. That further supports the idea that commercial spyware vendors were making use of it as a component of their product line. There are multiple possibilities for inducing the vulnerability, but Apple indicates that the primary method was to use the related WebKit vulnerabilities for a one-click or potentially even zero-click approach.

Though the potential breach window is worrying, it would appear that this zero-day vulnerability was hoarded by one of the major spyware vendors or another (which one is not specified by Apple) and deployed selectively against high-value client targets to preserve it from detection for such a long time. It is thus not a broad historical concern for the average iOS user, though the operating system should be updated to the latest version as soon as possible now that news about it is out.

Right now many of the details of the story are still speculative, however. It is not known if a major spyware vendor was the one exploiting the zero-day vulnerability, let alone which of them it was, nor is it known exactly who the targets were or how many there were (or exactly when and how many times since 2007 this vulnerability was exploited). The safe assumption is one of the big vendors that keep finding creative new ways to zero-click both iOS and Android devices, however, such as NSO Group with its Pegasus software or Intellexa’s Predator.

Serious vulnerabilities present across multiple Apple operating systems

Though iOS is the obvious focus due to the huge global user base of iPhone and iPad users, the zero-day vulnerability also impacted macOS, tvOS, watchOS, and visionOS as all of these also make use of dyld. Apple advises that the vulnerability is present in macOS Tahoe, and it has issued patches for that and all of the other listed OS versions that removes it. It is unclear if anyone was compromised via these routes, but all users are urged to update to the most recent OS versions immediately as a precaution.

This is Apple’s first zero-day vulnerability reported in 2026; seven were reported and patched in 2025. Apple has been in an ongoing battle against spyware vendors for several years now, since the Pegasus Papers revealed the extent to which companies such as NSO Group were able to penetrate its environments with zero-click attacks. It has already issued prior patches to chase these companies out of iMessage, but in September of last year was forced to drop a lawsuit against NSO Group due to fears that critical secrets of its threat intelligence department would be exposed as part of the trial process. The company has since made other moves to thwart spyware vendors, such as expanding its bug bounty program and implemented a high-security “Lockdown Mode” for highly targeted users.

Apple customers must update to iOS 26 to remove this vulnerability, but this OS version requires a device with the A13 Bionic chip which is present from 2019’s iPhone 11 onward. Apple continues to support some older devices with security updates, but it is unclear if they will get a measure to address this specific issue. Madhav Benoi, Head of Security Research, Approov, believes that older Apple devices will likely remain relatively safe but will require more caution and security awareness from users going forward: “This attack is a powerful primitive that can be used to run arbitrary code. The good news is that it only affects iOS versions below 26. The immediate downside for a victim is complete device compromise. It makes sense that it was used for targeted individuals as for certain political/informational gain, this is a weapon that can be used to gain entryway into targets. Users and organizational security teams should patch Apple iPhones immediately, and if they’re  still using iOS 18 and haven’t moved to 26, please do as soon as possible. If they’re continuing to run an iOS version below 26, they should just be careful with what apps they install. Keep an eye out if any apps are popping up random things and are asking for permissions that they don’t need. This could be an indicator of compromise.”

Damon Small, Board Member, Xcape, additionally notes that the zero-day vulnerability requires a sophisticated attack chain to exploit in the manner the security bulletin documents, but that patching up to the most recent available versions is still the smart thing to do: “Apple’s emergency patch for CVE-2026-20700 signifies a rare and concerning development, as the company explicitly warns of an “extremely sophisticated attack,” likely linked to nation-state espionage or commercial spyware. The significant drawback is that even highly controlled mobile ecosystems are vulnerable to advanced exploitation, and targeted individuals may have minimal indication that their devices have been compromised. Discovered by Google’s Threat Analysis Group, this zero-day vulnerability targets the Dynamic Link Editor (dyld), the essential “gatekeeper” responsible for how every application loads and is protected from each other on your device. By compromising this core component, attackers can completely bypass this iOS sandbox, enabling them to execute arbitrary code and silently install persistent surveillance tools. The true concern lies in the frightening precision of the exploit chain, which was used in conjunction with previously patched WebKit vulnerabilities to target high-value individuals with “zero-click” efficiency. For any team managing a fleet of Apple devices, this is not a standard update; it’s a critical emergency that necessitates immediate patching to iOS 26.3 or iOS 18.7.5. Individual users need to be concerned as well and should also update immediately. Patch fast or get pwned! If your iPhones aren’t on the latest build, assume someone’s already working on the next 0-day.”