Sécurité 10 min read

Apple zero-day CVE-2026-20700: critical dyld flaw patched in an emergency release

Apple patches CVE-2026-20700, a zero-day in dyld under active exploitation. A technical breakdown of the flaw, its attack vectors and the protective measures admins should take.

On February 12, 2026, Apple shipped critical security updates across its entire operating system lineup. At the heart of this wave of patches sits CVE-2026-20700, a zero-day vulnerability in dyld (the Dynamic Link Editor), the component responsible for loading dynamic libraries on macOS and iOS. The flaw, a memory-corruption bug, allows arbitrary code execution with kernel privileges. Apple described the attack as extremely sophisticated and aimed at specific individuals.

For system administrators managing fleets of Apple devices in the enterprise, this vulnerability is a serious risk. Here is a detailed breakdown of the flaw, how it works, and the concrete measures to put in place right away.

Critical alert: CVE-2026-20700 is being actively exploited. If you manage Apple devices, deploy the iOS 26.3, macOS Tahoe 26.3, watchOS 12.3 and visionOS 3.3 updates without delay.

What is dyld and why does it matter so much?

Before diving into the flaw, you need to understand the role of dyld in the Apple ecosystem. dyld, short for Dynamic Link Editor, is the dynamic library loader on macOS and iOS. Every time an application starts, it is dyld that resolves dependencies, loads shared libraries (.dylib) into memory and binds their symbols together.

In practice, dyld runs before the application's own code ever executes. It operates in a highly privileged context because it has to manipulate process memory spaces and resolve function pointers. A flaw in dyld is therefore especially dangerous: it potentially grants access to the memory of any process at startup time.

On a Mac, you can observe dyld activity using its debug environment variables:

# Show the libraries loaded by a process
DYLD_PRINT_LIBRARIES=1 /usr/bin/open -a Calculator

# List a binary's dynamic dependencies
otool -L /usr/bin/ssh

# Inspect the shared dyld cache
dyld_info -platform /usr/lib/dyld

The dyld shared cache is a performance mechanism that preloads all the system libraries into a single unified file. It is precisely in the handling of this cache that the CVE-2026-20700 vulnerability was found.

CVE-2026-20700: a technical breakdown of the flaw

The vulnerability lies in the way dyld handles Mach-O segments when loading libraries into the shared cache. Mach-O is Apple's native executable format (the equivalent of ELF on Linux). Every Mach-O binary contains segments (__TEXT, __DATA, __LINKEDIT) that describe the various code and data sections.

The problem sits in the segment metadata validation. When a specially crafted binary supplies segment size values that are inconsistent with the expected memory alignment, dyld performs an offset calculation that overflows. This integer overflow triggers a write beyond the bounds of the allocated buffer, corrupting adjacent control structures in memory.

In simplified terms:

  1. The attacker crafts a Mach-O binary with malformed segment metadata
  2. When dyld loads this binary, it miscalculates the required buffer size
  3. The segment data overflows into adjacent memory
  4. The attacker controls the data that overwrites the control structures
  5. Execution is redirected to the attacker's shellcode with kernel privileges

This kind of primitive (an arbitrary write into kernel memory) is the holy grail for an attacker. It allows them to bypass every protection: sandboxing, code signing, System Integrity Protection (SIP), and even the Secure Enclave on devices fitted with Apple Silicon chips.

A zero-interaction attack vector

The most worrying aspect of CVE-2026-20700 is its exploitation vector. According to early analysis, the attack observed in the wild used a delivery mechanism requiring no interaction from the victim (zero-click). The malicious binary was embedded in specially crafted multimedia content delivered over iMessage.

The exploitation flow breaks down as follows:

  1. The victim receives an iMessage containing a multimedia attachment
  2. The preview system tries to render the content, triggering a library load
  3. dyld loads the malicious component, triggering the memory corruption
  4. The attacker gains kernel-level code execution
  5. An implant is persistently installed on the device

This exploitation chain echoes the FORCEDENTRY attacks discovered in 2021, which already targeted the iMessage rendering engine. The technical sophistication required to develop such an exploit is considerable, which reinforces the hypothesis of a state-sponsored actor.

Who is being targeted? The role of Google TAG

The flaw was discovered and reported by Google's Threat Analysis Group (TAG), a team specialized in tracking advanced threats and state-sponsored actors. The fact that it was TAG that identified the active exploitation suggests the targets were high-risk individuals: journalists, activists, political dissidents or government officials.

Apple described the attacks as extremely sophisticated and targeting specific individuals. That kind of wording is characteristic of exploits developed by commercial surveillance companies (think NSO Group) or intelligence services. The exploit was not observed in mass campaigns.

The danger does not end there, however. Once a zero-day is patched and the technical details leak out, less sophisticated cybercriminal groups develop their own exploits by analyzing the fix. The gap between a patch being published and the appearance of "n-day" exploits is shrinking year after year: sometimes it is just a few days.

Apple's patches: which systems are affected?

Apple released fixes simultaneously across all of its platforms:

  • iOS 26.3 and iPadOS 26.3: all compatible iPhones and iPads
  • macOS Tahoe 26.3: all Macs running macOS Tahoe
  • macOS Sequoia 15.7.4: a backported fix for Macs that have not yet migrated to Tahoe
  • watchOS 12.3: Apple Watch Series 6 and later
  • tvOS 19.3: Apple TV HD and 4K
  • visionOS 3.3: Apple Vision Pro
  • Safari 19.3: a standalone fix for earlier macOS versions

The patch modifies the Mach-O segment validation routine in dyld to add strict bounds checks on size and offset values before any memory-allocation calculation. An additional integrity check was added when loading the shared cache.

Checking and applying the updates

On a managed Apple fleet, the absolute priority is to force the rollout of the updates within 24 to 48 hours of their release. Here are the useful commands depending on the context:

On macOS (individual machine)

# Check the current version
sw_vers

# List the available updates
softwareupdate -l

# Install all security updates
sudo softwareupdate -ia --restart

# Verify the fix is applied (minimum build)
sw_vers -buildVersion

On macOS (MDM / managed fleet)

# Via Jamf Pro - force the update on a group
# Automatic update policy with forced restart

# Via Apple Business Manager + MDM
# ScheduleOSUpdate MDM command:
# - InstallAction: InstallASAP
# - ProductVersion: 26.3

# Deployment check via osquery
osqueryi "SELECT version, build FROM os_version;"

# Fleet audit with a compliance script
#!/bin/bash
REQUIRED_BUILD="26D50"
CURRENT_BUILD=$(sw_vers -buildVersion)
if [[ "$CURRENT_BUILD" < "$REQUIRED_BUILD" ]]; then
    echo "NON-COMPLIANT - Build: $CURRENT_BUILD"
    exit 1
else
    echo "COMPLIANT - Build: $CURRENT_BUILD"
    exit 0
fi

On iOS (supervised devices)

# Via MDM - force the iOS update
# ScheduleOSUpdate command with:
# - InstallAction: InstallASAP
# - MaxUserDeferrals: 0

# For an unsupervised fleet, push a notification
# and check compliance after 48h via:
# DeviceInformation > OSVersion query

Additional protective measures

The patch fixes the flaw, but a defense-in-depth strategy is essential to limit the impact of future Patch Tuesday. Here are the measures to implement:

1. Enable Lockdown Mode

Apple's Lockdown Mode disables a number of attack vectors, notably the automatic preview of attachments in iMessage. That is precisely the kind of restriction that could have blocked the exploitation of CVE-2026-20700.

# Check whether Lockdown Mode is active on macOS
defaults read /Library/Managed\ Preferences/com.apple.security.lockdown 2>/dev/null

# Enable via MDM (configuration profile)
# PayloadType: com.apple.security.lockdown
# LockdownModeEnabled: true

This mode is designed for high-risk users, but in the context of an active zero-day it is worth evaluating for the whole fleet, at least temporarily.

2. Restrict iMessage and AirDrop

Zero-click attacks frequently target iMessage as a delivery vector. On a corporate fleet, consider disabling iMessage on managed devices via an MDM restriction profile, or at the very least blocking incoming messages from unknown senders.

3. Monitor for indicators of compromise

Even after applying the patch, it is crucial to verify that your devices were not compromised before the fix landed:

# Look for suspicious processes (macOS)
ps aux | grep -E "(launchd|dyld)" | grep -v grep

# Check for non-standard launch daemons
ls -la /Library/LaunchDaemons/ /Library/LaunchAgents/
ls -la ~/Library/LaunchAgents/

# Hunt for suspicious injected libraries
find /usr/local/lib -name "*.dylib" -newer /usr/lib/dyld -print

# Examine dyld-related crash logs
log show --predicate 'process == "dyld"' --last 7d

# Scan with iVerify or MVT (Mobile Verification Toolkit)
# for potentially targeted iOS devices

4. Segment the network of Apple devices

A device compromised through a zero-day can serve as an entry point to the rest of the infrastructure. Make sure your Apple devices sit on a dedicated network segment, with strict firewall rules limiting lateral communications. A tool like ufw on your Linux servers lets you finely restrict inbound connections from the Apple segment.

5. Enable Rapid Security Response

Since macOS Ventura and iOS 16, Apple offers Rapid Security Responses: micro security updates that apply without a full reboot. Make sure this feature is enabled across your entire fleet:

# Check the status via MDM
# Configuration profile:
# PayloadType: com.apple.SoftwareUpdate
# AutomaticallyInstallAppUpdates: true
# AutomaticCheckEnabled: true
# CriticalUpdateInstall: true

The bigger picture: Apple zero-days in 2025-2026

CVE-2026-20700 is part of an increasingly frequent run of Apple zero-days. In 2025 alone, Apple patched more than 20 zero-day vulnerabilities under active exploitation, an unprecedented pace. The most heavily targeted components are recurring:

  • WebKit: the web rendering engine, a massive attack surface via Safari and WebViews
  • IOKit / IOSurface: the kernel drivers, a gateway to kernel privileges
  • dyld: the library loader, a fundamental component that is rarely audited
  • ImageIO: the image-processing framework, a classic zero-click vector

This trend illustrates an important point: Apple's security is not infallible. The closed ecosystem offers some protection against mass-market threats, but attackers with enough motivation and funding do find flaws. For administrators, this means you should never treat an Apple fleet as inherently secure.

Folding zero-day intelligence into your workflow

Responsiveness is the decisive factor against zero-days. Here is a minimal workflow to put in place:

  1. Monitor the Apple Security bulletins (apple.com/security/updates) and the associated RSS feeds
  2. Automate the detection of new CVEs through your SIEM or a dedicated intelligence tool
  3. Qualify the impact in under 2 hours: which attack surface, which devices are affected
  4. Deploy the fix in under 48 hours across the entire fleet
  5. Audit for traces of potential compromise before the patch

If you also manage Linux servers, the same discipline applies. The Linux server security checklist provides a similar framework for your non-Apple infrastructure. And if you use Fail2ban on your servers, do not forget that it is only one layer among many in your defense strategy.

Key takeaways

CVE-2026-20700 is a blunt reminder that zero-day vulnerabilities in the fundamental components of operating systems exist and are being exploited. dyld is a component that most administrators do not even monitor, and that is precisely what makes it attractive to sophisticated attackers.

The essential points:

  • Patch immediately: iOS 26.3, macOS Tahoe 26.3 and every Apple platform
  • Evaluate Lockdown Mode for your most exposed users
  • Audit your devices for indicators of compromise
  • Automate your intelligence and your patch-deployment process
  • Never trust security by default, even within a closed ecosystem

Security is not a product, it is a process. Every patched zero-day is an opportunity to verify that your update pipeline works correctly and that your reaction time matches the threat.

Did you enjoy this article?

Comments

Morgann Riu

Cybersecurity and Linux administration expert. I help companies secure and optimize their critical infrastructures.

Contact me
apple zero-day iOS macOS CVE dyld security
Sécurité

Sécuriser une instance Ollama exposée : les vrais risques de l'IA locale sur un réseau
Sécurité

VPN sous le feu : Check Point (Qilin) et Cisco SD-WAN, deux zero-days exploités en juin 2026
Sécurité

Patch Tuesday juin 2026 : le plus chargé de l'histoire, avec une faille kernel wormable
Sécurité

React2Shell (CVE-2025-55182) : la RCE CVSS 10 qui hante l'écosystème React et Next.js

Related tutorial

Back to the blog

Checklist Sécurité Linux

30 points essentiels pour sécuriser un serveur Linux. Recevez aussi les nouveaux tutoriels par email.

Pas de spam. Désabonnement en 1 clic.