APPLE fixed the first actively exploited zero-day in 2026, addressing a memory corruption flaw in Apple’s Dynamic Link Editor (dyld) that could allow attackers to run arbitrary code. The zero-day, tracked as CVE-2026-20700, prompted updates for iOS, iPadOS, macOS, watchOS, tvOS and visionOS to mitigate the risk. According to Google’s Threat Analysis Group, the flaw may have been exploited in the wild by nation-state actors or commercial spyware vendors.
Apple notes that two earlier vulnerabilities, CVE-2025-14174 and CVE-2025-43529, were also fixed in December 2025 after reports of active exploitation, with CVE-2025-14174 involving an out-of-bounds memory access in ANGLE and CVE-2025-43529 a WebKit use-after-free bug.
Updates are available for devices including iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later, across iOS 26.3, iPadOS 26.3 and other listed platforms. The advisory also references older fixes for Safari and WebKit across supported Apple devices.