Apple has patched a memory-corruption zero-day, CVE-2026-20700, that it says was already “exploited in an extremely sophisticated attack against specific targeted individuals.” The flaw affects iPhones and iPads running versions of iOS before iOS 26, and the U.S. Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalog a day after disclosure.

The bug sits in dyld, Apple's open-source dynamic link editor that securely loads applications, and was reported by Google's Threat Intelligence Group. Per Apple, an attacker with memory-write capability may be able to execute arbitrary code. The company, which rarely details in-the-wild exploitation, said the attacks resembled prior cases aimed at a small set of high-value individuals.

Apple also linked two previously disclosed WebKit vulnerabilities — CVE-2025-14174 and CVE-2025-43529 — to attacks involving CVE-2026-20700, though it did not explain how the three relate. All three are memory-corruption defects in mobile operating systems, the kind of bug frequently used in targeted spyware operations against dissidents, journalists, and public figures, said VulnCheck's Caitlin Condon.

The fixes ship in iOS 26.3 and iPadOS 26.3, which address 38 vulnerabilities in total. CVE-2026-20700 was the only one Apple flagged as actively exploited ahead of public disclosure, making prompt updating the clear priority for affected devices.