Apple has patched a critical zero-day vulnerability in iOS that has existed since the first iPhone, used in sophisticated attacks against targeted individuals by commercial spyware developers.
Apple has issued an emergency security update for iOS, patching a critical zero-day vulnerability that has existed in every version of iOS since the original iPhone launched in 2007. The flaw, designated CVE-2026-20700, affects dyld - Apple's dynamic linker - and was discovered by Google's Threat Analysis Group.
A decade-old vulnerability finally closed
The vulnerability allows attackers with memory write capability to execute arbitrary code, potentially giving them complete control over affected devices. Apple confirmed the flaw was exploited in the wild and may have been part of an exploit chain targeting "specific targeted individuals."
Apple's advisory stated: "An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26."
Brian Milbier, deputy CISO at Huntress, provided a helpful analogy to understand the vulnerability's severity: "Think of dyld as the doorman for your phone. Every single app that wants to run must first pass through this doorman to be assembled and given permission to start. Usually, the doorman checks credentials and places apps in a high-security 'sandbox' where they can't touch your private data. This vulnerability allows an attacker to trick the doorman into handing over a master key before security checks even begin."
The commercial spyware connection
Security researchers believe this vulnerability was likely developed by commercial surveillance companies that sell spyware tools to government clients. These companies have previously created prominent spyware like Pegasus and Predator, which have been used for surveillance operations worldwide.
The sophistication of this attack is particularly concerning. By chaining the dyld vulnerability with WebKit flaws that Apple also addressed in the iOS 26.3 update, attackers created a "zero-click" or "one-click" path to total device control. Milbier explained: "They use a fake ID to bypass the front gate – your browser – and then exploit the doorman's flaw to take over the entire building."
Broader security implications
This discovery highlights several critical issues in the cybersecurity landscape:
Long-lived vulnerabilities: A flaw that has existed for over a decade in the core iOS system demonstrates how deeply embedded security issues can persist undetected
Commercial surveillance industry: Private companies developing and selling powerful surveillance tools to governments represent a growing threat to digital privacy
Targeted attacks: The fact that this was used against "specific targeted individuals" rather than being a widespread attack suggests sophisticated threat actors are actively exploiting these vulnerabilities
Zero-click exploits: The ability to compromise devices without user interaction represents one of the most dangerous forms of mobile malware
Other vulnerabilities addressed
While CVE-2026-20700 is the most critical flaw addressed in this update, Apple's iOS 26.3 and iPadOS 26.3 releases include fixes for numerous other security issues. These include vulnerabilities that could grant root access and disclose sensitive user information.
Google's Threat Analysis Group also referenced two other December vulnerabilities in their report, both carrying 8.8 CVSS scores. CVE-2025-14174 is an out-of-bounds memory access flaw in Google Chrome's ANGLE graphics engine on Mac, while CVE-2025-43529 is a use-after-free vulnerability leading to code execution.
What users should do
Given the severity and active exploitation of this vulnerability, Apple users should update their devices to iOS 26.3 or iPadOS 26.3 immediately. The update is available for all supported devices and represents one of the most critical security patches in recent iOS history.
The fact that a vulnerability has existed since the first iPhone underscores the importance of regular security updates and the ongoing arms race between tech companies and sophisticated threat actors. While Apple has now closed this particular door, the discovery serves as a reminder that even the most secure systems can harbor hidden vulnerabilities for years before being discovered and exploited.
Comments
Please log in or register to join the discussion