Apple addresses a critical flaw exploited in targeted attacks

Threat summary

On February 11, 2026, Apple released patches addressing a critical flaw that was exploited in targeted attacks on versions prior to the current operating system updates for iPhone, iPad, Mac, Apple Watch, Apple TV, and Apple Vision Pro:

• iOS 26.3 and iPadOS 26.3 - iPhone 11 and later; iPad Pro 12.9‑inch (3rd gen+) and 11‑inch (1st gen+); iPad Air 3rd gen+; iPad 8th gen+; iPad mini 5th gen+
• iOS 18.7.5 and iPadOS 18.7.5 - iPhone XS, iPhone XS Max, iPhone XR, iPad 7th gen
• macOS Tahoe 26.3, Sequoia 15.7.4, and Sonoma 14.8.4
• tvOS 26.3 - Apple TV HD and Apple TV 4K (all models)
• watchOS 26.3 - Apple Watch Series 6 and later
• visionOS 26.3 - Apple Vision Pro (all models)
• Safari 26.3 - macOS Sonoma and macOS Sequoia

The legacy OS branches, such as iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, and macOS Sonoma 14.8.4, are still awaiting a backported fix with no timeline published as of February 12.

The vulnerability, tracked as CVE-2026-20700 with a CVSS of 7.8, involves memory corruption in Apple’s Dynamic Link Editor, known as dyld. Dyld is responsible for loading and linking the dynamic libraries that applications rely on, which makes it a core component of the operating system.

In practical terms, vulnerability does not grant initial access. Instead, it acts as a privilege-enabling step that turns the initial foothold into code execution at the system level. In many real-world attack chains, that step functions like a privilege escalation because it converts a limited capability (memory write) into full control of the device.

Google Threat Analysis Group (TAG) discovered and reported the vulnerability, linking it to the same activity cluster associated with earlier activity involving CVE‑2025‑14174 and CVE-2025-43529, which were patched in December 2025. Apple stated that exploitation began in 2025 and targeted specific individuals running versions of iOS prior to 26. The threat actor has not been publicly attributed beyond these claims from Apple and TAG.

Analysis & mitigation

The primary mitigation is deploying Apple’s February 11 security updates across all supported platforms, including iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari, where and when available. Ensure that you have automatic updates enabled, by navigating to Settings -> General -> Software Update (specifically for iOS and iPadOS).

Organizations can reduce the likelihood of attackers gaining the initial memory‑write foothold required for exploitation by tightening application‑level controls, restricting sideloading, and limiting installation of untrusted or unmanaged apps.

Strengthening endpoint telemetry and monitoring for indicators of memory corruption or anomalous dyld behavior provides additional visibility into potential post‑compromise activity.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up