TL;DR: On February 11, 2026, Apple patched a memory corruption bug in dyld, the component that loads every app on your iPhone. It was already being used in attacks. Google's Threat Analysis Group found it, which means this was almost certainly a government-backed spyware operation targeting specific people. The bug chains with two WebKit zero-days from December 2025. Update to iOS 26.3 immediately.
What Happened
Apple released iOS 26.3 on February 11, fixing over 40 security vulnerabilities. One of them (CVE-2026-20700) was already being exploited in the wild [1].
Apple's advisory was characteristically vague: the flaw "may have been exploited in an extremely sophisticated attack against specific targeted individuals" [2]. That's Apple's standard language for "a government or spyware vendor hacked someone's phone, and we just found out."
The vulnerability sits in dyld, Apple's Dynamic Link Editor. That's the system component responsible for loading dynamic libraries into memory: it's the bridge between your apps and the operating system. A bug here is about as deep as you can get without hitting the kernel.
The flaw allows an attacker with memory write capability to execute arbitrary code. In plain English: if someone can corrupt a specific piece of memory, they can run whatever they want on your device [1].
The Attack Chain: Three Bugs, Full Access
CVE-2026-20700 didn't work alone. It chains with two WebKit vulnerabilities that Apple patched in December 2025:
- CVE-2025-14174: An out-of-bounds memory flaw in Chrome's ANGLE graphics library, also exploitable through WebKit
- CVE-2025-43529: A use-after-free vulnerability in WebKit, Apple's browser engine
All three were reported by Google's Threat Analysis Group [1][3].
The attack likely worked like this: a target visits a malicious webpage (or gets sent a link). The WebKit bugs give the attacker an initial foothold: memory access inside the browser sandbox. Then CVE-2026-20700 escalates from memory corruption to arbitrary code execution through dyld, breaking out of the sandbox entirely.
This is a textbook exploit chain: entry through the browser, escalation through a system component. The same pattern was used by NSO Group's Pegasus spyware and Paragon's Graphite tool in previous campaigns [4].
Why Google TAG Matters
Google's Threat Analysis Group isn't a regular bug-hunting team. TAG specifically tracks government-backed hacking operations and commercial spyware vendors. When TAG reports a zero-day to Apple, it means they caught a nation-state or a spyware-for-hire company exploiting it [5].
TAG currently tracks more than 30 commercial surveillance vendors selling exploits and spyware to governments worldwide. Their discovery of CVE-2026-20700 places this attack squarely in that world.
"This is likely part of a highly targeted spyware or surveillance attack on a very small number of individuals' devices," said Caitlin Condon, VP of Security Research at VulnCheck. She noted that memory-corruption exploits like this commonly target "political dissidents, journalists, public figures or other high-value targets" [6].
Apple won't say who was targeted or which government or vendor was behind it. They never do. But the pattern is unmistakable.
The Spyware Pattern
This is Apple's first actively exploited zero-day of 2026. Last year, Apple patched nine zero-days total, several linked to commercial spyware operations [3].
The timing matters. In January 2026, we reported that ICE purchased Paragon's Graphite spyware, which can access messages, cameras, microphones, and location data without any user interaction. In February, Clearview AI signed a contract with the Pentagon, and CBP signed for 15 Clearview AI licenses to access a 60-billion-image facial recognition database.
The surveillance industry is booming. Governments are buying. And Apple devices, marketed as the privacy-focused option, keep showing up as targets.
That doesn't mean iPhones are insecure. It means they're valuable enough that state-backed teams spend millions developing exploits for them. A zero-day exploit chain like this one can sell for $2 million or more on the open market.
What's Affected
CVE-2026-20700 affects:
- iPhones: iPhone 11 and later running iOS before 26.3
- iPads: iPad Pro 12.9-inch (3rd gen+), iPad Air (3rd gen+), iPad (8th gen+), iPad mini (5th gen+)
- Macs: macOS Tahoe before 26.3
- Apple Watch: watchOS before 26.3
- Apple TV: tvOS before 26.3
- Vision Pro: visionOS before 26.3
Apple also backported fixes to older operating systems: iOS 18.7.5, macOS Sequoia 15.7.4, and macOS Sonoma 14.8.4 [2][3].
What You Should Do
Update Now
Go to Settings > General > Software Update. Install iOS 26.3 (or iOS 18.7.5 if you're on an older device). Do this today, not next week.
Enable Lockdown Mode
If you're a journalist, activist, lawyer, or anyone who might be a target: Settings > Privacy & Security > Lockdown Mode. It blocks most exploit chains by disabling features attackers use as entry points. Yes, it limits some functionality. That's the point.
Turn On Automatic Updates
Settings > General > Software Update > Automatic Updates. Toggle on "Install iOS Updates." Zero-day patches need to reach your device before an attacker does.
Watch for Threat Notifications
Apple sends direct notifications to users it believes were targeted by state-sponsored attacks. If you receive one, take it seriously. Apple's threat notification page explains what to do.
Why This Matters Beyond "Specific Targeted Individuals"
Apple always frames these exploits as targeting "specific individuals." That's probably true today. But here's the catch: once a zero-day is discovered and patched, the exploit details eventually become public. Security researchers reverse-engineer the patch to understand the bug. And then less sophisticated attackers build their own versions.
The window between "state-sponsored spyware" and "script kiddie toolkit" keeps shrinking. Today's targeted attack becomes tomorrow's commodity malware. The only defense is patching before that happens.
CISA added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog, which means federal agencies are required to patch within a set timeline. You should treat it with the same urgency [1].
References
- CyberScoop: Apple discloses first actively exploited zero-day of 2026 (February 11, 2026)
- Security Affairs: Apple fixed first actively exploited zero-day in 2026 (February 12, 2026)
- Help Net Security: Apple fixes zero-day flaw exploited in targeted attacks, CVE-2026-20700 (February 12, 2026)
- SOC Prime: CVE-2026-20700, Apple Patches Zero-Day Exploited in Sophisticated Cyber Attacks (February 2026)
- Cyber Security News: Apple 0-Day Vulnerability Actively Exploited in Sophisticated Attack (February 2026)
- Cyber Kendra: Apple Rushes Patch for Actively Exploited Zero-Day Linked to Spyware Attacks (February 2026)