CVE-2026-20700

What is Apple dyld?

Apple's dyld (dynamic linker/loader) is a foundational component present on every Apple platform — iOS, macOS, tvOS, watchOS, and visionOS. It is responsible for loading executables and dynamically linking shared libraries at process launch. Every application on an Apple device passes through dyld; a vulnerability in this component can affect the entire OS security model. Because dyld operates before normal process isolation is established, flaws in it can be exploited to bypass sandbox restrictions and achieve full code execution outside normal security boundaries.

Overview

CVE-2026-20700 is a memory corruption vulnerability (buffer overflow / state management flaw, CWE-119) in Apple's dyld dynamic linker. Apple describes the fix as "a memory corruption issue addressed with improved state management." An attacker with memory write capability can corrupt dyld's internal state to achieve arbitrary code execution. The vulnerability affects all major Apple platforms and was used as one component in a sophisticated three-vulnerability exploit chain deployed by a nation-state actor against targeted individuals. Google's Threat Analysis Group (TAG) discovered and reported the bug.

Affected Versions

Technical Details

The vulnerability is a memory corruption flaw (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in dyld's internal state management. When dyld processes specially crafted binary or library data, a state management error results in an out-of-bounds memory operation. An attacker who has already achieved memory write capability — typically via a separate exploit — can trigger this flaw to corrupt dyld's state in a way that redirects execution to attacker-controlled code.

In the observed exploit chain, this bug served as the code execution primitive after initial memory write access was obtained through WebKit renderer exploits (CVE-2025-14174 and CVE-2025-43529). Because dyld executes at a privileged stage of process initialization, exploitation can achieve code execution outside the normal app sandbox, significantly extending attacker capabilities.

Discovery

Reported by Google Threat Analysis Group (TAG) on 11 February 2026.

Exploitation Context

Apple confirmed that CVE-2026-20700 "was used in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26." The vulnerability was chained with two WebKit bugs — CVE-2025-14174 and CVE-2025-43529 — to form a complete exploit chain: the WebKit bugs provided initial code execution in the renderer, and CVE-2026-20700 served as the privilege escalation / sandbox escape step. This chain is consistent with government-grade spyware deployment (e.g., Pegasus-class implants), where a full chain from a web page or message to persistent device compromise is assembled from multiple individual bugs. Google TAG's involvement indicates attribution to a government-backed threat actor.

Remediation

1. Update all Apple devices immediately to the fixed OS versions: iOS/iPadOS 26.3, macOS Tahoe 26.3 (or Sequoia 15.7.4 / Sonoma 14.8.4), tvOS 26.3, watchOS 26.3, visionOS 26.3.
2. Enable automatic updates on all Apple devices — Settings → General → Software Update → Automatic Updates.
3. For high-risk individuals (journalists, activists, government officials, executives): consider enabling Apple's Lockdown Mode, which significantly reduces attack surface for advanced spyware delivery.
4. Monitor for unusual device behavior: unexpected battery drain, background data usage, unusual app activity — common indicators of advanced mobile spyware.
5. MDM-managed fleets: push the update via your MDM solution and validate compliance across all enrolled devices within the CISA deadline.